Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/58607?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "type": "composer", "namespace": "concrete5", "name": "core", "version": "8.5.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "8.5.8", "latest_non_vulnerable_version": "9.1.0", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197130?format=api", "vulnerability_id": "VCID-6mt9-72w9-nba8", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30117", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00232", "scoring_system": "epss", "scoring_elements": "0.46131", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30117" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes" }, { "reference_url": "https://github.com/concretecms/concretecms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms-core" }, { "reference_url": "https://hackerone.com/reports/1482280", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1482280" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30117", "reference_id": "CVE-2022-30117", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30117" }, { "reference_url": "https://github.com/advisories/GHSA-3jxh-6635-6jwp", "reference_id": "GHSA-3jxh-6635-6jwp", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3jxh-6635-6jwp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78380?format=api", "purl": "pkg:composer/concrete5/core@8.5.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/78382?format=api", "purl": "pkg:composer/concrete5/core@9.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@9.1.0" } ], "aliases": [ "CVE-2022-30117", "GHSA-3jxh-6635-6jwp" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6mt9-72w9-nba8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/190810?format=api", "vulnerability_id": "VCID-bx3d-22ya-jqh7", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-21829", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00663", "scoring_system": "epss", "scoring_elements": "0.71529", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-21829" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes,", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes," }, { "reference_url": "https://github.com/concretecms/concretecms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms-core" }, { "reference_url": "https://hackerone.com/reports/1482520", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1482520" }, { "reference_url": "https://hackerone.com/reports/1482520,", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1482520," }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21829", "reference_id": "CVE-2022-21829", "reference_type": "", "scores": [ { "value": "8.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21829" }, { "reference_url": "https://github.com/advisories/GHSA-6xc4-7fmm-65q2", "reference_id": "GHSA-6xc4-7fmm-65q2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xc4-7fmm-65q2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78380?format=api", "purl": "pkg:composer/concrete5/core@8.5.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/78382?format=api", "purl": "pkg:composer/concrete5/core@9.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@9.1.0" } ], "aliases": [ "CVE-2022-21829", "GHSA-6xc4-7fmm-65q2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bx3d-22ya-jqh7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/197133?format=api", "vulnerability_id": "VCID-u4ys-wqfh-d3e7", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30120", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00632", "scoring_system": "epss", "scoring_elements": "0.70685", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-30120" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes" }, { "reference_url": "https://github.com/concretecms/concretecms-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms-core" }, { "reference_url": "https://hackerone.com/reports/1363598", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1363598" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30120", "reference_id": "CVE-2022-30120", "reference_type": "", "scores": [ { "value": "3.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30120" }, { "reference_url": "https://github.com/advisories/GHSA-m2ww-6wv6-vw3c", "reference_id": "GHSA-m2ww-6wv6-vw3c", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m2ww-6wv6-vw3c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/78380?format=api", "purl": "pkg:composer/concrete5/core@8.5.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/78382?format=api", "purl": "pkg:composer/concrete5/core@9.1.0", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@9.1.0" } ], "aliases": [ "CVE-2022-30120", "GHSA-m2ww-6wv6-vw3c" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u4ys-wqfh-d3e7" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14370?format=api", "vulnerability_id": "VCID-2y1d-66kt-g3dj", "summary": "Authorization Bypass Through User-Controlled Key\nUnauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.Credit for discovery: \"Solar Security Research Team\"Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NThis fix is also in Concrete version 9.0.0", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22951", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00314", "scoring_system": "epss", "scoring_elements": "0.54796", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22951" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes" }, { "reference_url": "https://hackerone.com/reports/1102014", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1102014" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22951", "reference_id": "CVE-2021-22951", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22951" }, { "reference_url": "https://github.com/advisories/GHSA-rhf5-f553-xg82", "reference_id": "GHSA-rhf5-f553-xg82", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rhf5-f553-xg82" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6mt9-72w9-nba8" }, { "vulnerability": "VCID-bx3d-22ya-jqh7" }, { "vulnerability": "VCID-u4ys-wqfh-d3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" } ], "aliases": [ "CVE-2021-22951", "GHSA-rhf5-f553-xg82" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2y1d-66kt-g3dj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14375?format=api", "vulnerability_id": "VCID-4mf1-2cfa-9qhe", "summary": "Authorization Bypass Through User-Controlled Key\nIn Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in \"add / edit messageā.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22967", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00747", "scoring_system": "epss", "scoring_elements": "0.7339", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22967" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes" }, { "reference_url": "https://hackerone.com/reports/869612", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/869612" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22967", "reference_id": "CVE-2021-22967", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22967" }, { "reference_url": "https://github.com/advisories/GHSA-m2v2-8227-59f5", "reference_id": "GHSA-m2v2-8227-59f5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m2v2-8227-59f5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6mt9-72w9-nba8" }, { "vulnerability": "VCID-bx3d-22ya-jqh7" }, { "vulnerability": "VCID-u4ys-wqfh-d3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" } ], "aliases": [ "CVE-2021-22967", "GHSA-m2v2-8227-59f5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4mf1-2cfa-9qhe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14374?format=api", "vulnerability_id": "VCID-8rsq-c5jg-53cy", "summary": "Server-Side Request Forgery (SSRF)\nConcrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00268", "scoring_system": "epss", "scoring_elements": "0.50468", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22969" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes" }, { "reference_url": "https://hackerone.com/reports/1369312", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1369312" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22969", "reference_id": "CVE-2021-22969", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22969" }, { "reference_url": "https://github.com/advisories/GHSA-mcxr-fx5f-96qq", "reference_id": "GHSA-mcxr-fx5f-96qq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mcxr-fx5f-96qq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6mt9-72w9-nba8" }, { "vulnerability": "VCID-bx3d-22ya-jqh7" }, { "vulnerability": "VCID-u4ys-wqfh-d3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" } ], "aliases": [ "CVE-2021-22969", "GHSA-mcxr-fx5f-96qq" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8rsq-c5jg-53cy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14376?format=api", "vulnerability_id": "VCID-c3mj-8qzc-ckd8", "summary": "Improper Privilege Management\nPrivilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted \"view\" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: \"Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )\"This fix is also in Concrete version 9.0.0", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22966", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00267", "scoring_system": "epss", "scoring_elements": "0.5034", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22966" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes" }, { "reference_url": "https://hackerone.com/reports/1362747", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1362747" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22966", "reference_id": "CVE-2021-22966", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22966" }, { "reference_url": "https://github.com/advisories/GHSA-j4mv-2rv7-v2j9", "reference_id": "GHSA-j4mv-2rv7-v2j9", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j4mv-2rv7-v2j9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6mt9-72w9-nba8" }, { "vulnerability": "VCID-bx3d-22ya-jqh7" }, { "vulnerability": "VCID-u4ys-wqfh-d3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" } ], "aliases": [ "CVE-2021-22966", "GHSA-j4mv-2rv7-v2j9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c3mj-8qzc-ckd8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14371?format=api", "vulnerability_id": "VCID-vata-s3cw-pqax", "summary": "Server-Side Request Forgery (SSRF)\nConcrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NConcrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes.This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016Reporters: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22970", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60044", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22970" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/901-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/901-release-notes" }, { "reference_url": "https://hackerone.com/reports/1364797", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1364797" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22970", "reference_id": "CVE-2021-22970", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22970" }, { "reference_url": "https://github.com/advisories/GHSA-gqpw-9q54-9x28", "reference_id": "GHSA-gqpw-9q54-9x28", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqpw-9q54-9x28" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6mt9-72w9-nba8" }, { "vulnerability": "VCID-bx3d-22ya-jqh7" }, { "vulnerability": "VCID-u4ys-wqfh-d3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" } ], "aliases": [ "CVE-2021-22970", "GHSA-gqpw-9q54-9x28" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vata-s3cw-pqax" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/14373?format=api", "vulnerability_id": "VCID-ycue-c4sz-cqgs", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22968", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0266", "scoring_system": "epss", "scoring_elements": "0.86043", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-22968" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes" }, { "reference_url": "https://github.com/olsgreen/concrete5-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/olsgreen/concrete5-core" }, { "reference_url": "https://hackerone.com/reports/1350444", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1350444" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22968", "reference_id": "CVE-2021-22968", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22968" }, { "reference_url": "https://github.com/advisories/GHSA-g3p2-hfqr-9m25", "reference_id": "GHSA-g3p2-hfqr-9m25", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g3p2-hfqr-9m25" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58607?format=api", "purl": "pkg:composer/concrete5/core@8.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6mt9-72w9-nba8" }, { "vulnerability": "VCID-bx3d-22ya-jqh7" }, { "vulnerability": "VCID-u4ys-wqfh-d3e7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" } ], "aliases": [ "CVE-2021-22968", "GHSA-g3p2-hfqr-9m25" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ycue-c4sz-cqgs" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7" }