Concrete CMS < 8.5.6 Multiple Vulnerabilities

Concrete CMS is prone to multiple vulnerabilities.

The following vulnerabilities exist: - CVE-2021-22949: CSRF allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space - CVE-2021-22950: CSFR allowing attachments to comments in the conversation section to be deleted - CVE-2021-22953: CSRF allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space - CVE-2021-40097: Authenticated path traversal leads to remote code execution via uploaded PHP code, related to the bFilename parameter - CVE-2021-40098: Path traversal leading to RCE via external form by adding a regular expression - CVE-2021-40099: Fetching the update json scheme over HTTP leads to remote code execution - CVE-2021-40100: Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text - CVE-2021-40102: Arbitrary File deletion can occur via PHAR deserialization in is_dir - CVE-2021-40103: Path Traversal can lead to arbitrary file reading and SSRF - CVE-2021-40104: SVG sanitizer bypass - CVE-2021-40105: XSS via Markdown Comments - CVE-2021-40106: Unauthenticated stored XSS in blog comments via the website field - CVE-2021-40107: Stored XSS in comment section/FileManger - CVE-2021-40108: CSRF in the calendar - CVE-2021-40109: SSRF

Concrete CMS versions prior to 8.5.6.

Checks if a vulnerable version is present on the target host.

Update to version 8.5.6 or later.