Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/29439?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/29439?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.14", "type": "composer", "namespace": "concrete5", "name": "concrete5", "version": "8.5.14", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.4.8", "latest_non_vulnerable_version": "9.4.8", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64134?format=api", "vulnerability_id": "VCID-2a3x-n2fy-eqce", "summary": "Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3180", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28128", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28142", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28153", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.2793", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3180" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_id": "8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T19:52:55Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA." }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_id": "928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T19:52:55Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA." }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3180", "reference_id": "CVE-2024-3180", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3180" }, { "reference_url": "https://github.com/advisories/GHSA-9qhc-pg6j-wf23", "reference_id": "GHSA-9qhc-pg6j-wf23", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9qhc-pg6j-wf23" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30162?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/30163?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8" } ], "aliases": [ "CVE-2024-3180", "GHSA-9qhc-pg6j-wf23" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2a3x-n2fy-eqce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64296?format=api", "vulnerability_id": "VCID-3514-7uhf-pufd", "summary": "Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3178", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28128", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28142", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28153", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.2793", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3178" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/f2ea49b3cdbac3cbfdf5d3c862de7b7097bbe904", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/f2ea49b3cdbac3cbfdf5d3c862de7b7097bbe904" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/11988", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/pull/11988" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/11989", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/pull/11989" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_id": "8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T19:59:20Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA." }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_id": "928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T19:59:20Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA." }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3178", "reference_id": "CVE-2024-3178", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3178" }, { "reference_url": "https://github.com/advisories/GHSA-xwrh-qxmc-x8c8", "reference_id": "GHSA-xwrh-qxmc-x8c8", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xwrh-qxmc-x8c8" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30162?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/30163?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8" } ], "aliases": [ "CVE-2024-3178", "GHSA-xwrh-qxmc-x8c8" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3514-7uhf-pufd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63186?format=api", "vulnerability_id": "VCID-542x-fkyy-sfcp", "summary": "Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator \n\nThank you Rikuto Tauchi for reporting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2753", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00247", "scoring_system": "epss", "scoring_elements": "0.48202", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00247", "scoring_system": "epss", "scoring_elements": "0.48342", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00247", "scoring_system": "epss", "scoring_elements": "0.48339", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00247", "scoring_system": "epss", "scoring_elements": "0.48356", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2753" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_id": "8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:53:05Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA." }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_id": "928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-21T14:53:05Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA." }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2753", "reference_id": "CVE-2024-2753", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2753" }, { "reference_url": "https://github.com/advisories/GHSA-pj42-r64f-4xfq", "reference_id": "GHSA-pj42-r64f-4xfq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pj42-r64f-4xfq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30162?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/30163?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8" } ], "aliases": [ "CVE-2024-2753", "GHSA-pj42-r64f-4xfq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-542x-fkyy-sfcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/120419?format=api", "vulnerability_id": "VCID-7mj3-9jvf-vudw", "summary": "Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The \"Add Folder\" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0660", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43779", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43942", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43954", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43934", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0660" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0660", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0660" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12454", "reference_id": "12454", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:38:19Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12454" }, { "reference_url": "https://github.com/concretecms/bedrock/pull/370", "reference_id": "370", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:38:19Z/" } ], "url": "https://github.com/concretecms/bedrock/pull/370" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes", "reference_id": "940-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:38:19Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes" }, { "reference_url": "https://github.com/advisories/GHSA-pvmx-mjmh-jfcx", "reference_id": "GHSA-pvmx-mjmh-jfcx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pvmx-mjmh-jfcx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/785786?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0RC1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/377800?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0-RC1" } ], "aliases": [ "CVE-2025-0660", "GHSA-pvmx-mjmh-jfcx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7mj3-9jvf-vudw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/63538?format=api", "vulnerability_id": "VCID-8war-c3pp-kuf5", "summary": "Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31147", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31145", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31161", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.3095", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2179" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/ac1ec9b069acac79869b2988e1f56cc5565a3dd4", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/ac1ec9b069acac79869b2988e1f56cc5565a3dd4" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/927-release-notes", "reference_id": "927-release-notes", "reference_type": "", "scores": [ { "value": "2.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-06T20:22:19Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/927-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2179", "reference_id": "CVE-2024-2179", "reference_type": "", "scores": [ { "value": "2.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2179" }, { "reference_url": "https://github.com/advisories/GHSA-4m7h-34xm-4wjv", "reference_id": "GHSA-4m7h-34xm-4wjv", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4m7h-34xm-4wjv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29537?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2a3x-n2fy-eqce" }, { "vulnerability": "VCID-3514-7uhf-pufd" }, { "vulnerability": "VCID-542x-fkyy-sfcp" }, { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-9j62-yk3f-bfgk" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rgjf-p329-vbf8" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.7" } ], "aliases": [ "CVE-2024-2179", "GHSA-4m7h-34xm-4wjv" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8war-c3pp-kuf5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64388?format=api", "vulnerability_id": "VCID-9j62-yk3f-bfgk", "summary": "Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28128", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28142", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28153", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.2793", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3181" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_id": "8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-04T15:34:26Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA." }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_id": "928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-04T15:34:26Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA." }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3181", "reference_id": "CVE-2024-3181", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3181" }, { "reference_url": "https://github.com/advisories/GHSA-qgm9-rxmq-jxmq", "reference_id": "GHSA-qgm9-rxmq-jxmq", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qgm9-rxmq-jxmq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30162?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/30163?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8" } ], "aliases": [ "CVE-2024-3181", "GHSA-qgm9-rxmq-jxmq" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9j62-yk3f-bfgk" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45535?format=api", "vulnerability_id": "VCID-c2xh-rq7d-wqey", "summary": "Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7398", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40884", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41061", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.41072", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.4105", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7398" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12183", "reference_id": "12183", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12183" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12184", "reference_id": "12184", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12184" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5", "reference_id": "7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes", "reference_id": "8519-release-notes", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "reference_id": "934-release-notes", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7398", "reference_id": "CVE-2024-7398", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7398" }, { "reference_url": "https://github.com/advisories/GHSA-x8h2-255q-jg4x", "reference_id": "GHSA-x8h2-255q-jg4x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x8h2-255q-jg4x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33393?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" } ], "aliases": [ "CVE-2024-7398", "GHSA-x8h2-255q-jg4x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c2xh-rq7d-wqey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/357423?format=api", "vulnerability_id": "VCID-d263-cpsv-fkeg", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48652", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.5668", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56801", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56816", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56805", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48652" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48652", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48652" }, { "reference_url": "https://github.com/advisories/GHSA-qp42-5pj7-4ccm", "reference_id": "GHSA-qp42-5pj7-4ccm", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qp42-5pj7-4ccm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29435?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2a3x-n2fy-eqce" }, { "vulnerability": "VCID-2x2h-cef1-yfee" }, { "vulnerability": "VCID-3514-7uhf-pufd" }, { "vulnerability": "VCID-542x-fkyy-sfcp" }, { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-8war-c3pp-kuf5" }, { "vulnerability": "VCID-9j62-yk3f-bfgk" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pd9w-6ke4-13hr" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rgjf-p329-vbf8" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-w8rd-ssb2-pkgx" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3" } ], "aliases": [ "CVE-2023-48652", "GHSA-qp42-5pj7-4ccm" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d263-cpsv-fkeg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85463?format=api", "vulnerability_id": "VCID-d4bd-m93f-aqf2", "summary": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3242", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01394", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0139", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01381", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3242" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:42:24Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:42:24Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3242", "reference_id": "CVE-2026-3242", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3242" }, { "reference_url": "https://github.com/advisories/GHSA-w9qg-chfh-g3q9", "reference_id": "GHSA-w9qg-chfh-g3q9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9qg-chfh-g3q9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3242", "GHSA-w9qg-chfh-g3q9" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d4bd-m93f-aqf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127526?format=api", "vulnerability_id": "VCID-dgf1-ded8-4uef", "summary": "Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. \nThe fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3153", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56494", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56617", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56613", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56627", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3153" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3153", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3153" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12511", "reference_id": "12511", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12511" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12512", "reference_id": "12512", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12512" }, { "reference_url": "https://github.com/concretecms/concretecms/releases/tag/8.5.20", "reference_id": "8.5.20", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://github.com/concretecms/concretecms/releases/tag/8.5.20" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes", "reference_id": "940-release-notes", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes" }, { "reference_url": "https://github.com/advisories/GHSA-cmm4-p9v2-q453", "reference_id": "GHSA-cmm4-p9v2-q453", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cmm4-p9v2-q453" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376518?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/791691?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0RC2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0RC2" }, { "url": "http://public2.vulnerablecode.io/api/packages/376517?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0-RC2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0-RC2" } ], "aliases": [ "CVE-2025-3153", "GHSA-cmm4-p9v2-q453" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgf1-ded8-4uef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92329?format=api", "vulnerability_id": "VCID-dx1t-b982-5ucd", "summary": "Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49646", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49788", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49801", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49782", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8571" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8571", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8571" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes", "reference_id": "8521-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes", "reference_id": "943-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes" }, { "reference_url": "https://www.concretecms.org/download", "reference_id": "download", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/" } ], "url": "https://www.concretecms.org/download" }, { "reference_url": "https://github.com/advisories/GHSA-4pcg-pjp5-3mc6", "reference_id": "GHSA-4pcg-pjp5-3mc6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4pcg-pjp5-3mc6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377523?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/377524?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.3" } ], "aliases": [ "CVE-2025-8571", "GHSA-4pcg-pjp5-3mc6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dx1t-b982-5ucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66432?format=api", "vulnerability_id": "VCID-g134-5qhy-mudn", "summary": "ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30662", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.1891", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18751", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18934", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18916", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30662" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30662", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30662" }, { "reference_url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS" }, { "reference_url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/", "reference_id": "CVE-Report-ConcreteCMS-DoS", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:49:15Z/" } ], "url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/" }, { "reference_url": "https://github.com/advisories/GHSA-p68c-rmfh-j48h", "reference_id": "GHSA-p68c-rmfh-j48h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p68c-rmfh-j48h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-30662", "GHSA-p68c-rmfh-j48h" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g134-5qhy-mudn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45871?format=api", "vulnerability_id": "VCID-hdw7-spv5-k3c6", "summary": "Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7394", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03921", "scoring_system": "epss", "scoring_elements": "0.88575", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.03921", "scoring_system": "epss", "scoring_elements": "0.88619", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.03921", "scoring_system": "epss", "scoring_elements": "0.88621", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.03921", "scoring_system": "epss", "scoring_elements": "0.88614", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7394" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/3a5974e94892c43388c3529e57a140bf2967c734", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/3a5974e94892c43388c3529e57a140bf2967c734" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/e7e0eb95a0c4d0875c3712e33f495be76578cd5a", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/e7e0eb95a0c4d0875c3712e33f495be76578cd5a" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12166", "reference_id": "12166", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:54:29Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12166" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041", "reference_id": "8518-release-notes?pk_vid=e367a434ef4830491723055758d52041", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:54:29Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041", "reference_id": "933-release-notes?pk_vid=e367a434ef4830491723055753d52041", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:54:29Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06", "reference_id": "c08d9671cec4e7afdabb547339c4bc0bed8eab06", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:54:29Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7394", "reference_id": "CVE-2024-7394", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7394" }, { "reference_url": "https://github.com/advisories/GHSA-w6j6-w6jx-vf2r", "reference_id": "GHSA-w6j6-w6jx-vf2r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w6j6-w6jx-vf2r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32956?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/32957?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.3" } ], "aliases": [ "CVE-2024-7394", "GHSA-w6j6-w6jx-vf2r" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hdw7-spv5-k3c6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34796?format=api", "vulnerability_id": "VCID-htqe-191f-1yab", "summary": "Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00339", "scoring_system": "epss", "scoring_elements": "0.57049", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00339", "scoring_system": "epss", "scoring_elements": "0.57175", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00339", "scoring_system": "epss", "scoring_elements": "0.57168", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00339", "scoring_system": "epss", "scoring_elements": "0.57182", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8291" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/d97b43b8dd0b5578b41d2ffb5b2186a44c2c772c", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/d97b43b8dd0b5578b41d2ffb5b2186a44c2c772c" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12183", "reference_id": "12183", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12183" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes", "reference_id": "8519-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "reference_id": "934-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8291", "reference_id": "CVE-2024-8291", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8291" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/dbce253166f6b10ff3e0c09e50fd395370b8b065", "reference_id": "dbce253166f6b10ff3e0c09e50fd395370b8b065", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/dbce253166f6b10ff3e0c09e50fd395370b8b065" }, { "reference_url": "https://github.com/advisories/GHSA-q7qr-22qw-pqgx", "reference_id": "GHSA-q7qr-22qw-pqgx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q7qr-22qw-pqgx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33393?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" } ], "aliases": [ "CVE-2024-8291", "GHSA-q7qr-22qw-pqgx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-htqe-191f-1yab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85790?format=api", "vulnerability_id": "VCID-nahk-p3f1-8bee", "summary": "In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the \"Legacy Form\" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3241", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01237", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01233", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.01227", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.0123", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3241" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:41:54Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:41:54Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3241", "reference_id": "CVE-2026-3241", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3241" }, { "reference_url": "https://github.com/advisories/GHSA-f4vq-pj32-gr4q", "reference_id": "GHSA-f4vq-pj32-gr4q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f4vq-pj32-gr4q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3241", "GHSA-f4vq-pj32-gr4q" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nahk-p3f1-8bee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34088?format=api", "vulnerability_id": "VCID-nuz6-12nr-2yga", "summary": "Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in the \"Next&Previous Nav\" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Since the \"Next&Previous Nav\" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks, Chu Quoc Khanh for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8661", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68027", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68124", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68128", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68115", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8661" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/3e548b416ae32efee1e0a42c4510be1106c7eb25", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/3e548b416ae32efee1e0a42c4510be1106c7eb25" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12204", "reference_id": "12204", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12204" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes", "reference_id": "8519-release-notes", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "reference_id": "934-release-notes", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4", "reference_id": "ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661", "reference_id": "CVE-2024-8661", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661" }, { "reference_url": "https://github.com/advisories/GHSA-xmxj-v2q8-8qx6", "reference_id": "GHSA-xmxj-v2q8-8qx6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xmxj-v2q8-8qx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33393?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" } ], "aliases": [ "CVE-2024-8661", "GHSA-xmxj-v2q8-8qx6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nuz6-12nr-2yga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85949?format=api", "vulnerability_id": "VCID-qndd-2vmq-guen", "summary": "In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3240", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01394", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01381", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0139", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3240" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:32:45Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:32:45Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3240", "reference_id": "CVE-2026-3240", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3240" }, { "reference_url": "https://github.com/advisories/GHSA-45fj-fvmm-xcc5", "reference_id": "GHSA-45fj-fvmm-xcc5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-45fj-fvmm-xcc5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3240", "GHSA-45fj-fvmm-xcc5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qndd-2vmq-guen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64702?format=api", "vulnerability_id": "VCID-rgjf-p329-vbf8", "summary": "Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28128", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28142", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.28153", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00104", "scoring_system": "epss", "scoring_elements": "0.2793", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3179" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/f2ea49b3cdbac3cbfdf5d3c862de7b7097bbe904", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/f2ea49b3cdbac3cbfdf5d3c862de7b7097bbe904" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/11988", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/pull/11988" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/11989", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/pull/11989" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_id": "8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T20:02:16Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA." }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_id": "928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-03T20:02:16Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA." }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3179", "reference_id": "CVE-2024-3179", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3179" }, { "reference_url": "https://github.com/advisories/GHSA-r7q4-cw9r-vhp4", "reference_id": "GHSA-r7q4-cw9r-vhp4", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r7q4-cw9r-vhp4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30162?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/30163?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8" } ], "aliases": [ "CVE-2024-3179", "GHSA-r7q4-cw9r-vhp4" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgjf-p329-vbf8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85813?format=api", "vulnerability_id": "VCID-rkx3-e4r3-c3gh", "summary": "Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3452", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00273", "scoring_system": "epss", "scoring_elements": "0.51008", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00273", "scoring_system": "epss", "scoring_elements": "0.51142", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00273", "scoring_system": "epss", "scoring_elements": "0.51139", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00273", "scoring_system": "epss", "scoring_elements": "0.51154", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3452" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://", "reference_id": "167f16e4805d8ab546d2997c753ac21bf4854920:", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T16:02:03Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T16:02:03Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3452", "reference_id": "CVE-2026-3452", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3452" }, { "reference_url": "https://github.com/advisories/GHSA-gj26-w59c-29mf", "reference_id": "GHSA-gj26-w59c-29mf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj26-w59c-29mf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3452", "GHSA-gj26-w59c-29mf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkx3-e4r3-c3gh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/126308?format=api", "vulnerability_id": "VCID-tt5n-k5h8-xufp", "summary": "", "references": [ { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2967", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2967" }, { "reference_url": "https://vuldb.com/?ctiid.302019", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?ctiid.302019" }, { "reference_url": "https://vuldb.com/?id.302019", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?id.302019" }, { "reference_url": "https://vuldb.com/?submit.522417", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?submit.522417" }, { "reference_url": "https://github.com/advisories/GHSA-xfqf-5rhg-5c73", "reference_id": "GHSA-xfqf-5rhg-5c73", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xfqf-5rhg-5c73" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/785786?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0RC1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0RC1" } ], "aliases": [ "CVE-2025-2967", "GHSA-xfqf-5rhg-5c73" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tt5n-k5h8-xufp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85311?format=api", "vulnerability_id": "VCID-v39f-kpce-2qhz", "summary": "In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3244", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01381", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01394", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.0139", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3244" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:50:43Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:50:43Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3244", "reference_id": "CVE-2026-3244", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3244" }, { "reference_url": "https://github.com/advisories/GHSA-mm5f-5rqw-574f", "reference_id": "GHSA-mm5f-5rqw-574f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mm5f-5rqw-574f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3244", "GHSA-mm5f-5rqw-574f" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v39f-kpce-2qhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/84946?format=api", "vulnerability_id": "VCID-vdtu-qtuw-v3fs", "summary": "Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2994", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01454", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01471", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01456", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01463", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2994" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:04:57Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2994", "reference_id": "CVE-2026-2994", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2994" }, { "reference_url": "https://github.com/advisories/GHSA-6mxw-2vhf-42g5", "reference_id": "GHSA-6mxw-2vhf-42g5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mxw-2vhf-42g5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-2994", "GHSA-6mxw-2vhf-42g5" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vdtu-qtuw-v3fs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47505?format=api", "vulnerability_id": "VCID-wau6-kvqa-pbgu", "summary": "Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4350", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01032", "scoring_system": "epss", "scoring_elements": "0.77756", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01032", "scoring_system": "epss", "scoring_elements": "0.77831", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01032", "scoring_system": "epss", "scoring_elements": "0.77825", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01032", "scoring_system": "epss", "scoring_elements": "0.77838", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-4350" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/55e485e06b0b3342613a55af6a7c61d939d2ccb5", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/55e485e06b0b3342613a55af6a7c61d939d2ccb5" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12166", "reference_id": "12166", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:51:55Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12166" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041", "reference_id": "8518-release-notes?pk_vid=e367a434ef4830491723055758d52041", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:51:55Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723060415d52041", "reference_id": "933-release-notes?pk_vid=e367a434ef4830491723060415d52041", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:51:55Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723060415d52041" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06", "reference_id": "c08d9671cec4e7afdabb547339c4bc0bed8eab06", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:51:55Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4350", "reference_id": "CVE-2024-4350", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4350" }, { "reference_url": "https://github.com/advisories/GHSA-q5wx-m95r-4cgc", "reference_id": "GHSA-q5wx-m95r-4cgc", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q5wx-m95r-4cgc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32956?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/32957?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.3" } ], "aliases": [ "CVE-2024-4350", "GHSA-q5wx-m95r-4cgc" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wau6-kvqa-pbgu" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/146384?format=api", "vulnerability_id": "VCID-ty11-5ff4-s7av", "summary": "Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48653", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00839", "scoring_system": "epss", "scoring_elements": "0.75217", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00839", "scoring_system": "epss", "scoring_elements": "0.7522", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00839", "scoring_system": "epss", "scoring_elements": "0.75137", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00839", "scoring_system": "epss", "scoring_elements": "0.75207", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48653" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/077755e6bbbc1c67b7508add9e3d207e8d8909a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/077755e6bbbc1c67b7508add9e3d207e8d8909a0" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/5b93470bcccf271810d3a0b190368ce6a9d6c84b", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/5b93470bcccf271810d3a0b190368ce6a9d6c84b" }, { "reference_url": "https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates", "reference_id": "2023-12-05-concrete-cms-new-cves-and-cve-updates", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:21:08Z/" } ], "url": "https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes", "reference_id": "923-release-notes", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T20:21:08Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48653", "reference_id": "CVE-2023-48653", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48653" }, { "reference_url": "https://github.com/advisories/GHSA-3rxx-8f33-7p6p", "reference_id": "GHSA-3rxx-8f33-7p6p", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3rxx-8f33-7p6p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29439?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2a3x-n2fy-eqce" }, { "vulnerability": "VCID-3514-7uhf-pufd" }, { "vulnerability": "VCID-542x-fkyy-sfcp" }, { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-8war-c3pp-kuf5" }, { "vulnerability": "VCID-9j62-yk3f-bfgk" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d263-cpsv-fkeg" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rgjf-p329-vbf8" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/29435?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2a3x-n2fy-eqce" }, { "vulnerability": "VCID-2x2h-cef1-yfee" }, { "vulnerability": "VCID-3514-7uhf-pufd" }, { "vulnerability": "VCID-542x-fkyy-sfcp" }, { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-8war-c3pp-kuf5" }, { "vulnerability": "VCID-9j62-yk3f-bfgk" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pd9w-6ke4-13hr" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rgjf-p329-vbf8" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-w8rd-ssb2-pkgx" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3" } ], "aliases": [ "CVE-2023-48653", "GHSA-3rxx-8f33-7p6p" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ty11-5ff4-s7av" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/146354?format=api", "vulnerability_id": "VCID-tzyh-y7uc-hff9", "summary": "Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48650", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01073", "scoring_system": "epss", "scoring_elements": "0.78255", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01073", "scoring_system": "epss", "scoring_elements": "0.78259", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01073", "scoring_system": "epss", "scoring_elements": "0.78177", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.01073", "scoring_system": "epss", "scoring_elements": "0.78245", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-48650" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/077755e6bbbc1c67b7508add9e3d207e8d8909a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/077755e6bbbc1c67b7508add9e3d207e8d8909a0" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/5b93470bcccf271810d3a0b190368ce6a9d6c84b", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/5b93470bcccf271810d3a0b190368ce6a9d6c84b" }, { "reference_url": "https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates", "reference_id": "2023-12-05-concrete-cms-new-cves-and-cve-updates", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T18:50:14Z/" } ], "url": "https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes", "reference_id": "923-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-01T18:50:14Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48650", "reference_id": "CVE-2023-48650", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48650" }, { "reference_url": "https://github.com/advisories/GHSA-x577-gcc9-9xjj", "reference_id": "GHSA-x577-gcc9-9xjj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x577-gcc9-9xjj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/29439?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2a3x-n2fy-eqce" }, { "vulnerability": "VCID-3514-7uhf-pufd" }, { "vulnerability": "VCID-542x-fkyy-sfcp" }, { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-8war-c3pp-kuf5" }, { "vulnerability": "VCID-9j62-yk3f-bfgk" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d263-cpsv-fkeg" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rgjf-p329-vbf8" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/29435?format=api", "purl": "pkg:composer/concrete5/concrete5@9.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2a3x-n2fy-eqce" }, { "vulnerability": "VCID-2x2h-cef1-yfee" }, { "vulnerability": "VCID-3514-7uhf-pufd" }, { "vulnerability": "VCID-542x-fkyy-sfcp" }, { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-8war-c3pp-kuf5" }, { "vulnerability": "VCID-9j62-yk3f-bfgk" }, { "vulnerability": "VCID-9z1s-b811-3ug2" }, { "vulnerability": "VCID-c2xh-rq7d-wqey" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-eyep-q35n-ebcv" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-hdw7-spv5-k3c6" }, { "vulnerability": "VCID-htqe-191f-1yab" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-nuz6-12nr-2yga" }, { "vulnerability": "VCID-pd9w-6ke4-13hr" }, { "vulnerability": "VCID-pgfy-52ca-wbbf" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rgjf-p329-vbf8" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-w8rd-ssb2-pkgx" }, { "vulnerability": "VCID-wau6-kvqa-pbgu" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3" } ], "aliases": [ "CVE-2023-48650", "GHSA-x577-gcc9-9xjj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tzyh-y7uc-hff9" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.14" }