Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/33394?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "type": "composer", "namespace": "concrete5", "name": "concrete5", "version": "9.3.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "9.4.0-RC1", "latest_non_vulnerable_version": "9.4.8", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/120419?format=api", "vulnerability_id": "VCID-7mj3-9jvf-vudw", "summary": "Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The \"Add Folder\" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0660", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00212", "scoring_system": "epss", "scoring_elements": "0.43779", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0660" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0660", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0660" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12454", "reference_id": "12454", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:38:19Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12454" }, { "reference_url": "https://github.com/concretecms/bedrock/pull/370", "reference_id": "370", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:38:19Z/" } ], "url": "https://github.com/concretecms/bedrock/pull/370" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes", "reference_id": "940-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:38:19Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes" }, { "reference_url": "https://github.com/advisories/GHSA-pvmx-mjmh-jfcx", "reference_id": "GHSA-pvmx-mjmh-jfcx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-pvmx-mjmh-jfcx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/785786?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0RC1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/377800?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0-RC1" } ], "aliases": [ "CVE-2025-0660", "GHSA-pvmx-mjmh-jfcx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7mj3-9jvf-vudw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85463?format=api", "vulnerability_id": "VCID-d4bd-m93f-aqf2", "summary": "In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3242", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3242" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:42:24Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:42:24Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3242", "reference_id": "CVE-2026-3242", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3242" }, { "reference_url": "https://github.com/advisories/GHSA-w9qg-chfh-g3q9", "reference_id": "GHSA-w9qg-chfh-g3q9", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9qg-chfh-g3q9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3242", "GHSA-w9qg-chfh-g3q9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d4bd-m93f-aqf2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127526?format=api", "vulnerability_id": "VCID-dgf1-ded8-4uef", "summary": "Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. \nThe fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3153", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00333", "scoring_system": "epss", "scoring_elements": "0.56494", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-3153" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3153", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3153" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12511", "reference_id": "12511", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12511" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12512", "reference_id": "12512", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12512" }, { "reference_url": "https://github.com/concretecms/concretecms/releases/tag/8.5.20", "reference_id": "8.5.20", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://github.com/concretecms/concretecms/releases/tag/8.5.20" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes", "reference_id": "940-release-notes", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes" }, { "reference_url": "https://github.com/advisories/GHSA-cmm4-p9v2-q453", "reference_id": "GHSA-cmm4-p9v2-q453", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-cmm4-p9v2-q453" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376517?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0-RC2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0-RC2" }, { "url": "http://public2.vulnerablecode.io/api/packages/791691?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0RC2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0RC2" } ], "aliases": [ "CVE-2025-3153", "GHSA-cmm4-p9v2-q453" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dgf1-ded8-4uef" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92329?format=api", "vulnerability_id": "VCID-dx1t-b982-5ucd", "summary": "Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49646", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8571" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8571", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8571" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes", "reference_id": "8521-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes", "reference_id": "943-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes" }, { "reference_url": "https://www.concretecms.org/download", "reference_id": "download", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/" } ], "url": "https://www.concretecms.org/download" }, { "reference_url": "https://github.com/advisories/GHSA-4pcg-pjp5-3mc6", "reference_id": "GHSA-4pcg-pjp5-3mc6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4pcg-pjp5-3mc6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377524?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.3" } ], "aliases": [ "CVE-2025-8571", "GHSA-4pcg-pjp5-3mc6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dx1t-b982-5ucd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/66432?format=api", "vulnerability_id": "VCID-g134-5qhy-mudn", "summary": "ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30662", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00059", "scoring_system": "epss", "scoring_elements": "0.18751", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-30662" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30662", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30662" }, { "reference_url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS" }, { "reference_url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/", "reference_id": "CVE-Report-ConcreteCMS-DoS", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-24T18:49:15Z/" } ], "url": "https://wang1rrr.github.io/2026/02/11/CVE-Report-ConcreteCMS-DoS/" }, { "reference_url": "https://github.com/advisories/GHSA-p68c-rmfh-j48h", "reference_id": "GHSA-p68c-rmfh-j48h", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p68c-rmfh-j48h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-30662", "GHSA-p68c-rmfh-j48h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g134-5qhy-mudn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85790?format=api", "vulnerability_id": "VCID-nahk-p3f1-8bee", "summary": "In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the \"Legacy Form\" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3241", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0001", "scoring_system": "epss", "scoring_elements": "0.0123", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3241" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:41:54Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:41:54Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3241", "reference_id": "CVE-2026-3241", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3241" }, { "reference_url": "https://github.com/advisories/GHSA-f4vq-pj32-gr4q", "reference_id": "GHSA-f4vq-pj32-gr4q", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f4vq-pj32-gr4q" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3241", "GHSA-f4vq-pj32-gr4q" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nahk-p3f1-8bee" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85949?format=api", "vulnerability_id": "VCID-qndd-2vmq-guen", "summary": "In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3240", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3240" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:32:45Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:32:45Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3240", "reference_id": "CVE-2026-3240", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3240" }, { "reference_url": "https://github.com/advisories/GHSA-45fj-fvmm-xcc5", "reference_id": "GHSA-45fj-fvmm-xcc5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-45fj-fvmm-xcc5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3240", "GHSA-45fj-fvmm-xcc5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qndd-2vmq-guen" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85813?format=api", "vulnerability_id": "VCID-rkx3-e4r3-c3gh", "summary": "Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3452", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00273", "scoring_system": "epss", "scoring_elements": "0.51008", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3452" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://", "reference_id": "167f16e4805d8ab546d2997c753ac21bf4854920:", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T16:02:03Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920://" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-04T16:02:03Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3452", "reference_id": "CVE-2026-3452", "reference_type": "", "scores": [ { "value": "8.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3452" }, { "reference_url": "https://github.com/advisories/GHSA-gj26-w59c-29mf", "reference_id": "GHSA-gj26-w59c-29mf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gj26-w59c-29mf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3452", "GHSA-gj26-w59c-29mf" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rkx3-e4r3-c3gh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/126308?format=api", "vulnerability_id": "VCID-tt5n-k5h8-xufp", "summary": "", "references": [ { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2967", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2967" }, { "reference_url": "https://vuldb.com/?ctiid.302019", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?ctiid.302019" }, { "reference_url": "https://vuldb.com/?id.302019", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?id.302019" }, { "reference_url": "https://vuldb.com/?submit.522417", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?submit.522417" }, { "reference_url": "https://github.com/advisories/GHSA-xfqf-5rhg-5c73", "reference_id": "GHSA-xfqf-5rhg-5c73", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xfqf-5rhg-5c73" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/785786?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.0RC1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.0RC1" } ], "aliases": [ "CVE-2025-2967", "GHSA-xfqf-5rhg-5c73" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tt5n-k5h8-xufp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/85311?format=api", "vulnerability_id": "VCID-v39f-kpce-2qhz", "summary": "In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3244", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01379", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-3244" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:50:43Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:50:43Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3244", "reference_id": "CVE-2026-3244", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3244" }, { "reference_url": "https://github.com/advisories/GHSA-mm5f-5rqw-574f", "reference_id": "GHSA-mm5f-5rqw-574f", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mm5f-5rqw-574f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-3244", "GHSA-mm5f-5rqw-574f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v39f-kpce-2qhz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/84946?format=api", "vulnerability_id": "VCID-vdtu-qtuw-v3fs", "summary": "Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2994", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01454", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-2994" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12826", "reference_id": "12826", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12826" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes", "reference_id": "948-release-notes", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:04:57Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2994", "reference_id": "CVE-2026-2994", "reference_type": "", "scores": [ { "value": "2.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2994" }, { "reference_url": "https://github.com/advisories/GHSA-6mxw-2vhf-42g5", "reference_id": "GHSA-6mxw-2vhf-42g5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6mxw-2vhf-42g5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/40145?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.8" } ], "aliases": [ "CVE-2026-2994", "GHSA-6mxw-2vhf-42g5" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vdtu-qtuw-v3fs" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/92809?format=api", "vulnerability_id": "VCID-x48e-w1z4-57ab", "summary": "Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks sealldev (Noah Cooper) for reporting via HackerOne.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8573", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00367", "scoring_system": "epss", "scoring_elements": "0.59062", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8573" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6" }, { "reference_url": "https://github.com/concretecms/concretecms/releases/tag/9.4.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/releases/tag/9.4.3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8573", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8573" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes", "reference_id": "943-release-notes", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T14:08:41Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes" }, { "reference_url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52428.txt", "reference_id": "CVE-2025-8573", "reference_type": "exploit", "scores": [], "url": "https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52428.txt" }, { "reference_url": "https://www.concretecms.org/download", "reference_id": "download", "reference_type": "", "scores": [ { "value": "2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T14:08:41Z/" } ], "url": "https://www.concretecms.org/download" }, { "reference_url": "https://github.com/advisories/GHSA-c5xf-rmv4-j85h", "reference_id": "GHSA-c5xf-rmv4-j85h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c5xf-rmv4-j85h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377524?format=api", "purl": "pkg:composer/concrete5/concrete5@9.4.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.4.3" } ], "aliases": [ "CVE-2025-8573", "GHSA-c5xf-rmv4-j85h" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x48e-w1z4-57ab" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45535?format=api", "vulnerability_id": "VCID-c2xh-rq7d-wqey", "summary": "Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7398", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00191", "scoring_system": "epss", "scoring_elements": "0.40884", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7398" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12183", "reference_id": "12183", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12183" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12184", "reference_id": "12184", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12184" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5", "reference_id": "7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes", "reference_id": "8519-release-notes", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "reference_id": "934-release-notes", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7398", "reference_id": "CVE-2024-7398", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7398" }, { "reference_url": "https://github.com/advisories/GHSA-x8h2-255q-jg4x", "reference_id": "GHSA-x8h2-255q-jg4x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x8h2-255q-jg4x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33393?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" } ], "aliases": [ "CVE-2024-7398", "GHSA-x8h2-255q-jg4x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c2xh-rq7d-wqey" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34796?format=api", "vulnerability_id": "VCID-htqe-191f-1yab", "summary": "Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8291", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00339", "scoring_system": "epss", "scoring_elements": "0.57049", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8291" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/d97b43b8dd0b5578b41d2ffb5b2186a44c2c772c", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/d97b43b8dd0b5578b41d2ffb5b2186a44c2c772c" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12183", "reference_id": "12183", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12183" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes", "reference_id": "8519-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "reference_id": "934-release-notes", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8291", "reference_id": "CVE-2024-8291", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8291" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/dbce253166f6b10ff3e0c09e50fd395370b8b065", "reference_id": "dbce253166f6b10ff3e0c09e50fd395370b8b065", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/dbce253166f6b10ff3e0c09e50fd395370b8b065" }, { "reference_url": "https://github.com/advisories/GHSA-q7qr-22qw-pqgx", "reference_id": "GHSA-q7qr-22qw-pqgx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q7qr-22qw-pqgx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33393?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" } ], "aliases": [ "CVE-2024-8291", "GHSA-q7qr-22qw-pqgx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-htqe-191f-1yab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/34088?format=api", "vulnerability_id": "VCID-nuz6-12nr-2yga", "summary": "Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in the \"Next&Previous Nav\" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Since the \"Next&Previous Nav\" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks, Chu Quoc Khanh for reporting.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8661", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00539", "scoring_system": "epss", "scoring_elements": "0.68027", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8661" }, { "reference_url": "https://github.com/concretecms/concretecms", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/3e548b416ae32efee1e0a42c4510be1106c7eb25", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/concretecms/concretecms/commit/3e548b416ae32efee1e0a42c4510be1106c7eb25" }, { "reference_url": "https://github.com/concretecms/concretecms/pull/12204", "reference_id": "12204", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://github.com/concretecms/concretecms/pull/12204" }, { "reference_url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes", "reference_id": "8519-release-notes", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes" }, { "reference_url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "reference_id": "934-release-notes", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes" }, { "reference_url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4", "reference_id": "ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/" } ], "url": "https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661", "reference_id": "CVE-2024-8661", "reference_type": "", "scores": [ { "value": "2.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" }, { "value": "4.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8661" }, { "reference_url": "https://github.com/advisories/GHSA-xmxj-v2q8-8qx6", "reference_id": "GHSA-xmxj-v2q8-8qx6", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xmxj-v2q8-8qx6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/33393?format=api", "purl": "pkg:composer/concrete5/concrete5@8.5.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@8.5.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/33394?format=api", "purl": "pkg:composer/concrete5/concrete5@9.3.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7mj3-9jvf-vudw" }, { "vulnerability": "VCID-d4bd-m93f-aqf2" }, { "vulnerability": "VCID-dgf1-ded8-4uef" }, { "vulnerability": "VCID-dx1t-b982-5ucd" }, { "vulnerability": "VCID-g134-5qhy-mudn" }, { "vulnerability": "VCID-nahk-p3f1-8bee" }, { "vulnerability": "VCID-qndd-2vmq-guen" }, { "vulnerability": "VCID-rkx3-e4r3-c3gh" }, { "vulnerability": "VCID-tt5n-k5h8-xufp" }, { "vulnerability": "VCID-v39f-kpce-2qhz" }, { "vulnerability": "VCID-vdtu-qtuw-v3fs" }, { "vulnerability": "VCID-x48e-w1z4-57ab" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" } ], "aliases": [ "CVE-2024-8661", "GHSA-xmxj-v2q8-8qx6" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nuz6-12nr-2yga" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.3.4" }