| 0 |
| url |
VCID-1zw6-abpq-aqee |
| vulnerability_id |
VCID-1zw6-abpq-aqee |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28476 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01758 |
| scoring_system |
epss |
| scoring_elements |
0.83067 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.01758 |
| scoring_system |
epss |
| scoring_elements |
0.83071 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.01758 |
| scoring_system |
epss |
| scoring_elements |
0.83075 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.01758 |
| scoring_system |
epss |
| scoring_elements |
0.83005 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28476 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28476, GHSA-2ggc-552c-rmqr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1zw6-abpq-aqee |
|
| 1 |
| url |
VCID-2a3x-n2fy-eqce |
| vulnerability_id |
VCID-2a3x-n2fy-eqce |
| summary |
Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3180 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28128 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28142 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28153 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.2793 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3180 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.8 |
| purl |
pkg:composer/concrete5/concrete5@9.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 1 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 2 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 3 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 4 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 5 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 6 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 7 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 8 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 9 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 10 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 11 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 12 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 13 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 14 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 15 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 16 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 17 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 18 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 19 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8 |
|
|
| aliases |
CVE-2024-3180, GHSA-9qhc-pg6j-wf23
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2a3x-n2fy-eqce |
|
| 2 |
| url |
VCID-2fk1-gqz6-kbcy |
| vulnerability_id |
VCID-2fk1-gqz6-kbcy |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28819 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02002 |
| scoring_system |
epss |
| scoring_elements |
0.84047 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.02002 |
| scoring_system |
epss |
| scoring_elements |
0.84104 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.02002 |
| scoring_system |
epss |
| scoring_elements |
0.84111 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.02002 |
| scoring_system |
epss |
| scoring_elements |
0.84107 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28819 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.0 |
| purl |
pkg:composer/concrete5/concrete5@9.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-4h16-ay16-qkcs |
|
| 5 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 6 |
| vulnerability |
VCID-56qq-9y15-nkb7 |
|
| 7 |
| vulnerability |
VCID-683x-bjfm-j3hh |
|
| 8 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 9 |
| vulnerability |
VCID-71ae-y44g-kbbw |
|
| 10 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 11 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 12 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 13 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 14 |
| vulnerability |
VCID-9kyu-9sz6-1bea |
|
| 15 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 16 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 17 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 18 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 19 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 20 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 21 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 22 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 23 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 24 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 25 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 26 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 27 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 28 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 29 |
| vulnerability |
VCID-g3pw-h46n-fyac |
|
| 30 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 31 |
| vulnerability |
VCID-h56x-jv8r-a3aq |
|
| 32 |
| vulnerability |
VCID-h67e-b4s5-guac |
|
| 33 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 34 |
| vulnerability |
VCID-he4r-v9gv-tkdh |
|
| 35 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 36 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 37 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 38 |
| vulnerability |
VCID-mjce-crza-h7d4 |
|
| 39 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 40 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 41 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 42 |
| vulnerability |
VCID-pbwe-39av-sydg |
|
| 43 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 44 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 45 |
| vulnerability |
VCID-pt73-zjft-syhk |
|
| 46 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 47 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 48 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 49 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 50 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 51 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 52 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 53 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 54 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 55 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 56 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 57 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 58 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 59 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 60 |
| vulnerability |
VCID-xfwe-ku14-gfe7 |
|
| 61 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 62 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 63 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.0 |
|
|
| aliases |
CVE-2023-28819, GHSA-474f-mcjv-pgrm
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2fk1-gqz6-kbcy |
|
| 3 |
| url |
VCID-2x2h-cef1-yfee |
| vulnerability_id |
VCID-2x2h-cef1-yfee |
| summary |
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1245 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00554 |
| scoring_system |
epss |
| scoring_elements |
0.68547 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00554 |
| scoring_system |
epss |
| scoring_elements |
0.68645 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00554 |
| scoring_system |
epss |
| scoring_elements |
0.68649 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00554 |
| scoring_system |
epss |
| scoring_elements |
0.68636 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1245 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.5 |
| purl |
pkg:composer/concrete5/concrete5@9.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 2 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 3 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 4 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 5 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 6 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 7 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 8 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 9 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 10 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 11 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 12 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 13 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 14 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 15 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 16 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 17 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 18 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 19 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 20 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 21 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 22 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 23 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 24 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 25 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.5 |
|
|
| aliases |
CVE-2024-1245, GHSA-mgp6-j658-vcw9
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2x2h-cef1-yfee |
|
| 4 |
| url |
VCID-3514-7uhf-pufd |
| vulnerability_id |
VCID-3514-7uhf-pufd |
| summary |
Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3178 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28128 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28142 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28153 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.2793 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3178 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.8 |
| purl |
pkg:composer/concrete5/concrete5@9.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 1 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 2 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 3 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 4 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 5 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 6 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 7 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 8 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 9 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 10 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 11 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 12 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 13 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 14 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 15 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 16 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 17 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 18 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 19 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8 |
|
|
| aliases |
CVE-2024-3178, GHSA-xwrh-qxmc-x8c8
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3514-7uhf-pufd |
|
| 5 |
| url |
VCID-4h16-ay16-qkcs |
| vulnerability_id |
VCID-4h16-ay16-qkcs |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43695 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00521 |
| scoring_system |
epss |
| scoring_elements |
0.67375 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00521 |
| scoring_system |
epss |
| scoring_elements |
0.67388 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00521 |
| scoring_system |
epss |
| scoring_elements |
0.67284 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00521 |
| scoring_system |
epss |
| scoring_elements |
0.6739 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43695 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43695, GHSA-8699-h45g-7hm8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4h16-ay16-qkcs |
|
| 6 |
| url |
VCID-542x-fkyy-sfcp |
| vulnerability_id |
VCID-542x-fkyy-sfcp |
| summary |
Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Thank you Rikuto Tauchi for reporting |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2753 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00247 |
| scoring_system |
epss |
| scoring_elements |
0.48202 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00247 |
| scoring_system |
epss |
| scoring_elements |
0.48342 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00247 |
| scoring_system |
epss |
| scoring_elements |
0.48339 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00247 |
| scoring_system |
epss |
| scoring_elements |
0.48356 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2753 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.8 |
| purl |
pkg:composer/concrete5/concrete5@9.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 1 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 2 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 3 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 4 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 5 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 6 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 7 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 8 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 9 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 10 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 11 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 12 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 13 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 14 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 15 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 16 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 17 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 18 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 19 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8 |
|
|
| aliases |
CVE-2024-2753, GHSA-pj42-r64f-4xfq
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-542x-fkyy-sfcp |
|
| 7 |
| url |
VCID-56qq-9y15-nkb7 |
| vulnerability_id |
VCID-56qq-9y15-nkb7 |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43692 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71591 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71492 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71578 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71589 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43692 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43692, GHSA-rg6w-c352-p8pg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-56qq-9y15-nkb7 |
|
| 8 |
| url |
VCID-683x-bjfm-j3hh |
| vulnerability_id |
VCID-683x-bjfm-j3hh |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43689 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.52667 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.52792 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.5281 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00289 |
| scoring_system |
epss |
| scoring_elements |
0.52795 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43689 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.2 |
| purl |
pkg:composer/concrete5/concrete5@9.1.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-4h16-ay16-qkcs |
|
| 5 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 6 |
| vulnerability |
VCID-56qq-9y15-nkb7 |
|
| 7 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 8 |
| vulnerability |
VCID-71ae-y44g-kbbw |
|
| 9 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 10 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 11 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 12 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 13 |
| vulnerability |
VCID-9kyu-9sz6-1bea |
|
| 14 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 15 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 16 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 17 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 18 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 19 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 20 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 21 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 22 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 23 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 24 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 25 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 26 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 27 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 28 |
| vulnerability |
VCID-g3pw-h46n-fyac |
|
| 29 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 30 |
| vulnerability |
VCID-h56x-jv8r-a3aq |
|
| 31 |
| vulnerability |
VCID-h67e-b4s5-guac |
|
| 32 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 33 |
| vulnerability |
VCID-he4r-v9gv-tkdh |
|
| 34 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 35 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 36 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 37 |
| vulnerability |
VCID-mjce-crza-h7d4 |
|
| 38 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 39 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 40 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 41 |
| vulnerability |
VCID-pbwe-39av-sydg |
|
| 42 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 43 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 44 |
| vulnerability |
VCID-pt73-zjft-syhk |
|
| 45 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 46 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 47 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 48 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 49 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 50 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 51 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 52 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 53 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 54 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 55 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 56 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 57 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 58 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 59 |
| vulnerability |
VCID-xfwe-ku14-gfe7 |
|
| 60 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 61 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 62 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.2 |
|
|
| aliases |
CVE-2022-43689, GHSA-q48r-xg9h-78m8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-683x-bjfm-j3hh |
|
| 9 |
| url |
VCID-69vg-twmj-jfb2 |
| vulnerability_id |
VCID-69vg-twmj-jfb2 |
| summary |
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28471 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.83763 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.83826 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.83829 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.8382 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28471 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://concretecms.com |
| reference_id |
concretecms.com |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-31T16:10:13Z/ |
|
|
| url |
https://concretecms.com |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28471, GHSA-9h33-5fxw-r2xv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-69vg-twmj-jfb2 |
|
| 10 |
| url |
VCID-71ae-y44g-kbbw |
| vulnerability_id |
VCID-71ae-y44g-kbbw |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43556 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01853 |
| scoring_system |
epss |
| scoring_elements |
0.83499 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.01853 |
| scoring_system |
epss |
| scoring_elements |
0.83431 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.01853 |
| scoring_system |
epss |
| scoring_elements |
0.83496 |
| published_at |
2026-06-14T12:55:00Z |
|
| 3 |
| value |
0.01853 |
| scoring_system |
epss |
| scoring_elements |
0.8349 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43556 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43556, GHSA-xj33-8r43-r227
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-71ae-y44g-kbbw |
|
| 11 |
| url |
VCID-7mj3-9jvf-vudw |
| vulnerability_id |
VCID-7mj3-9jvf-vudw |
| summary |
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-0660 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00212 |
| scoring_system |
epss |
| scoring_elements |
0.43779 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00212 |
| scoring_system |
epss |
| scoring_elements |
0.43942 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00212 |
| scoring_system |
epss |
| scoring_elements |
0.43954 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00212 |
| scoring_system |
epss |
| scoring_elements |
0.43934 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-0660 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-0660, GHSA-pvmx-mjmh-jfcx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7mj3-9jvf-vudw |
|
| 12 |
|
| 13 |
| url |
VCID-8war-c3pp-kuf5 |
| vulnerability_id |
VCID-8war-c3pp-kuf5 |
| summary |
Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2179 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00123 |
| scoring_system |
epss |
| scoring_elements |
0.31147 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00123 |
| scoring_system |
epss |
| scoring_elements |
0.31145 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00123 |
| scoring_system |
epss |
| scoring_elements |
0.31161 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00123 |
| scoring_system |
epss |
| scoring_elements |
0.3095 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2179 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.7 |
| purl |
pkg:composer/concrete5/concrete5@9.2.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 2 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 3 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 4 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 5 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 6 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 7 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 8 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 9 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 10 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 11 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 12 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 13 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 14 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 15 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 16 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 17 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 18 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 19 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 20 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 21 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 22 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 23 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 24 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.7 |
|
|
| aliases |
CVE-2024-2179, GHSA-4m7h-34xm-4wjv
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8war-c3pp-kuf5 |
|
| 14 |
| url |
VCID-9j62-yk3f-bfgk |
| vulnerability_id |
VCID-9j62-yk3f-bfgk |
| summary |
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3181 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28128 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28142 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28153 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.2793 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3181 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.8 |
| purl |
pkg:composer/concrete5/concrete5@9.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 1 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 2 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 3 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 4 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 5 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 6 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 7 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 8 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 9 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 10 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 11 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 12 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 13 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 14 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 15 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 16 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 17 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 18 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 19 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8 |
|
|
| aliases |
CVE-2024-3181, GHSA-qgm9-rxmq-jxmq
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9j62-yk3f-bfgk |
|
| 15 |
| url |
VCID-9kyu-9sz6-1bea |
| vulnerability_id |
VCID-9kyu-9sz6-1bea |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43691 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00211 |
| scoring_system |
epss |
| scoring_elements |
0.43898 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00211 |
| scoring_system |
epss |
| scoring_elements |
0.43909 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00211 |
| scoring_system |
epss |
| scoring_elements |
0.43743 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00211 |
| scoring_system |
epss |
| scoring_elements |
0.43918 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43691 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43691, GHSA-q3hq-hm5h-qrx3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9kyu-9sz6-1bea |
|
| 16 |
| url |
VCID-9z1s-b811-3ug2 |
| vulnerability_id |
VCID-9z1s-b811-3ug2 |
| summary |
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.6 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected. Thanks, m3dium for reporting. (CNA updated AC score to L based on CVSS 4.0 documentation) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7512 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01111 |
| scoring_system |
epss |
| scoring_elements |
0.78561 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.01111 |
| scoring_system |
epss |
| scoring_elements |
0.78639 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.01111 |
| scoring_system |
epss |
| scoring_elements |
0.78644 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.01111 |
| scoring_system |
epss |
| scoring_elements |
0.78627 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7512 |
|
| 1 |
| reference_url |
https://github.com/concretecms/concretecms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
1.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/concretecms/concretecms |
|
| 2 |
| reference_url |
https://hackerone.com/reports/2486344 |
| reference_id |
2486344 |
| reference_type |
|
| scores |
| 0 |
| value |
2.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
1.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 3 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T13:49:33Z/ |
|
|
| url |
https://hackerone.com/reports/2486344 |
|
| 3 |
|
| 4 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2024-7512 |
| reference_id |
CVE-2024-7512 |
| reference_type |
|
| scores |
| 0 |
| value |
2.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
1.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2024-7512 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7512, GHSA-c47w-9mcf-w972
|
| risk_score |
1.9 |
| exploitability |
0.5 |
| weighted_severity |
3.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9z1s-b811-3ug2 |
|
| 17 |
| url |
VCID-acs4-8efj-jqa5 |
| vulnerability_id |
VCID-acs4-8efj-jqa5 |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-44765 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53584 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.5371 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53725 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53712 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-44765 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.2 |
| purl |
pkg:composer/concrete5/concrete5@9.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 10 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 11 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 12 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 13 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 14 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 15 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 16 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 17 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 18 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 19 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 20 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 21 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 22 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 23 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 24 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 25 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 26 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 27 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 28 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 29 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 30 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 31 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 32 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 33 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.2 |
|
|
| aliases |
CVE-2023-44765, GHSA-6xx7-r8x4-fpjp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-acs4-8efj-jqa5 |
|
| 18 |
|
| 19 |
| url |
VCID-bbxq-cdbp-vucg |
| vulnerability_id |
VCID-bbxq-cdbp-vucg |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28477 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02044 |
| scoring_system |
epss |
| scoring_elements |
0.84219 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.02044 |
| scoring_system |
epss |
| scoring_elements |
0.84274 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.02044 |
| scoring_system |
epss |
| scoring_elements |
0.84282 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.02044 |
| scoring_system |
epss |
| scoring_elements |
0.84277 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28477 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28477, GHSA-xfmj-r86m-j2hr
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bbxq-cdbp-vucg |
|
| 20 |
| url |
VCID-c2xh-rq7d-wqey |
| vulnerability_id |
VCID-c2xh-rq7d-wqey |
| summary |
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7398 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00191 |
| scoring_system |
epss |
| scoring_elements |
0.40884 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00191 |
| scoring_system |
epss |
| scoring_elements |
0.41061 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00191 |
| scoring_system |
epss |
| scoring_elements |
0.41072 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00191 |
| scoring_system |
epss |
| scoring_elements |
0.4105 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7398 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12183 |
| reference_id |
12183 |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12183 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12184 |
| reference_id |
12184 |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:04:57Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12184 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7398, GHSA-x8h2-255q-jg4x
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c2xh-rq7d-wqey |
|
| 21 |
| url |
VCID-chav-mybs-syd2 |
| vulnerability_id |
VCID-chav-mybs-syd2 |
| summary |
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48651 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.75217 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.7522 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.75137 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.75207 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48651 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.3 |
| purl |
pkg:composer/concrete5/concrete5@9.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 10 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 11 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 12 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 13 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 14 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 15 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 16 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 17 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 18 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 19 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 20 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 21 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 22 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 23 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 24 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 25 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 26 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 27 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 28 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3 |
|
|
| aliases |
CVE-2023-48651, GHSA-45m2-8q7f-93wv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-chav-mybs-syd2 |
|
| 22 |
| url |
VCID-cyhv-k8b7-u3dc |
| vulnerability_id |
VCID-cyhv-k8b7-u3dc |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28472 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00459 |
| scoring_system |
epss |
| scoring_elements |
0.64452 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00459 |
| scoring_system |
epss |
| scoring_elements |
0.64554 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00459 |
| scoring_system |
epss |
| scoring_elements |
0.64566 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00459 |
| scoring_system |
epss |
| scoring_elements |
0.64562 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28472 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28472, GHSA-f55r-8rcv-mqcf
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cyhv-k8b7-u3dc |
|
| 23 |
| url |
VCID-d263-cpsv-fkeg |
| vulnerability_id |
VCID-d263-cpsv-fkeg |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48652 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.5668 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56801 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56816 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56805 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48652 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.3 |
| purl |
pkg:composer/concrete5/concrete5@9.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 10 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 11 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 12 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 13 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 14 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 15 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 16 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 17 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 18 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 19 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 20 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 21 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 22 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 23 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 24 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 25 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 26 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 27 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 28 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3 |
|
|
| aliases |
CVE-2023-48652, GHSA-qp42-5pj7-4ccm
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d263-cpsv-fkeg |
|
| 24 |
| url |
VCID-d4bd-m93f-aqf2 |
| vulnerability_id |
VCID-d4bd-m93f-aqf2 |
| summary |
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3242 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01394 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0139 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01381 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01379 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3242 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12826 |
| reference_id |
12826 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:42:24Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12826 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3242, GHSA-w9qg-chfh-g3q9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d4bd-m93f-aqf2 |
|
| 25 |
| url |
VCID-dgf1-ded8-4uef |
| vulnerability_id |
VCID-dgf1-ded8-4uef |
| summary |
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable.
The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3153 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56494 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56617 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56613 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00333 |
| scoring_system |
epss |
| scoring_elements |
0.56627 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3153 |
|
| 1 |
| reference_url |
https://github.com/concretecms/concretecms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/concretecms/concretecms |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12511 |
| reference_id |
12511 |
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12511 |
|
| 4 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12512 |
| reference_id |
12512 |
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12512 |
|
| 5 |
| reference_url |
https://github.com/concretecms/concretecms/releases/tag/8.5.20 |
| reference_id |
8.5.20 |
| reference_type |
|
| scores |
| 0 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T14:04:27Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/releases/tag/8.5.20 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-3153, GHSA-cmm4-p9v2-q453
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dgf1-ded8-4uef |
|
| 26 |
| url |
VCID-dx1t-b982-5ucd |
| vulnerability_id |
VCID-dx1t-b982-5ucd |
| summary |
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8571 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49646 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49788 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49801 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.0026 |
| scoring_system |
epss |
| scoring_elements |
0.49782 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8571 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://www.concretecms.org/download |
| reference_id |
download |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T16:14:47Z/ |
|
|
| url |
https://www.concretecms.org/download |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-8571, GHSA-4pcg-pjp5-3mc6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dx1t-b982-5ucd |
|
| 27 |
| url |
VCID-e9xf-aufp-7ffa |
| vulnerability_id |
VCID-e9xf-aufp-7ffa |
| summary |
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/concretecms/concretecms/releases |
| reference_id |
releases |
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-30T20:47:43Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/releases |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.0 |
| purl |
pkg:composer/concrete5/concrete5@9.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-4h16-ay16-qkcs |
|
| 5 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 6 |
| vulnerability |
VCID-56qq-9y15-nkb7 |
|
| 7 |
| vulnerability |
VCID-683x-bjfm-j3hh |
|
| 8 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 9 |
| vulnerability |
VCID-71ae-y44g-kbbw |
|
| 10 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 11 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 12 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 13 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 14 |
| vulnerability |
VCID-9kyu-9sz6-1bea |
|
| 15 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 16 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 17 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 18 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 19 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 20 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 21 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 22 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 23 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 24 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 25 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 26 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 27 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 28 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 29 |
| vulnerability |
VCID-g3pw-h46n-fyac |
|
| 30 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 31 |
| vulnerability |
VCID-h56x-jv8r-a3aq |
|
| 32 |
| vulnerability |
VCID-h67e-b4s5-guac |
|
| 33 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 34 |
| vulnerability |
VCID-he4r-v9gv-tkdh |
|
| 35 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 36 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 37 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 38 |
| vulnerability |
VCID-mjce-crza-h7d4 |
|
| 39 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 40 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 41 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 42 |
| vulnerability |
VCID-pbwe-39av-sydg |
|
| 43 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 44 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 45 |
| vulnerability |
VCID-pt73-zjft-syhk |
|
| 46 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 47 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 48 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 49 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 50 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 51 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 52 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 53 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 54 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 55 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 56 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 57 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 58 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 59 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 60 |
| vulnerability |
VCID-xfwe-ku14-gfe7 |
|
| 61 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 62 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 63 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.0 |
|
|
| aliases |
CVE-2023-28821, GHSA-ph6g-6v8w-8p6m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e9xf-aufp-7ffa |
|
| 28 |
| url |
VCID-eyep-q35n-ebcv |
| vulnerability_id |
VCID-eyep-q35n-ebcv |
| summary |
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board
instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious
JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 4.6 with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Concrete versions below 9 are not affected by this vulnerability.Thanks fhAnso for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4353 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.60172 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.60283 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.60279 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.6029 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4353 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12151 |
| reference_id |
12151 |
| reference_type |
|
| scores |
| 0 |
| value |
3.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-08-01T18:37:36Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12151 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-4353, GHSA-3cpf-jmmc-8jm3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-eyep-q35n-ebcv |
|
| 29 |
| url |
VCID-fvdb-zeth-8qh7 |
| vulnerability_id |
VCID-fvdb-zeth-8qh7 |
| summary |
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48648 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00729 |
| scoring_system |
epss |
| scoring_elements |
0.73114 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00729 |
| scoring_system |
epss |
| scoring_elements |
0.73205 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00729 |
| scoring_system |
epss |
| scoring_elements |
0.73191 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00729 |
| scoring_system |
epss |
| scoring_elements |
0.73207 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48648 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.2 |
| purl |
pkg:composer/concrete5/concrete5@9.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 10 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 11 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 12 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 13 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 14 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 15 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 16 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 17 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 18 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 19 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 20 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 21 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 22 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 23 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 24 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 25 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 26 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 27 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 28 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 29 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 30 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 31 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 32 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 33 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.2 |
|
|
| aliases |
CVE-2023-48648, GHSA-m87h-jxr6-f82w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fvdb-zeth-8qh7 |
|
| 30 |
| url |
VCID-g134-5qhy-mudn |
| vulnerability_id |
VCID-g134-5qhy-mudn |
| summary |
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate (SIGSEGV) and the web server to return a 500 error. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-30662 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.1891 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18751 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18934 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00059 |
| scoring_system |
epss |
| scoring_elements |
0.18916 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-30662 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-30662, GHSA-p68c-rmfh-j48h
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g134-5qhy-mudn |
|
| 31 |
| url |
VCID-g3pw-h46n-fyac |
| vulnerability_id |
VCID-g3pw-h46n-fyac |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43967 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71578 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71589 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71492 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71591 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43967 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43967, GHSA-vq39-q549-g786
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-g3pw-h46n-fyac |
|
| 32 |
| url |
VCID-gg3x-yz6u-nygp |
| vulnerability_id |
VCID-gg3x-yz6u-nygp |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-44761 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53584 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.5371 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53725 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53712 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-44761 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.2 |
| purl |
pkg:composer/concrete5/concrete5@9.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 10 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 11 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 12 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 13 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 14 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 15 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 16 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 17 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 18 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 19 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 20 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 21 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 22 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 23 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 24 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 25 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 26 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 27 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 28 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 29 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 30 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 31 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 32 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 33 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.2 |
|
|
| aliases |
CVE-2023-44761, GHSA-p4jj-gwpg-9jwh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gg3x-yz6u-nygp |
|
| 33 |
| url |
VCID-h56x-jv8r-a3aq |
| vulnerability_id |
VCID-h56x-jv8r-a3aq |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43687 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54553 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54679 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54695 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.0031 |
| scoring_system |
epss |
| scoring_elements |
0.54678 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43687 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43687, GHSA-m53v-5x5x-5m2p
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h56x-jv8r-a3aq |
|
| 34 |
| url |
VCID-h67e-b4s5-guac |
| vulnerability_id |
VCID-h67e-b4s5-guac |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43690 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.57046 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.57054 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.5704 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56919 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43690 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43690, GHSA-q56r-mw39-944g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-h67e-b4s5-guac |
|
| 35 |
| url |
VCID-hdw7-spv5-k3c6 |
| vulnerability_id |
VCID-hdw7-spv5-k3c6 |
| summary |
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7394 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03921 |
| scoring_system |
epss |
| scoring_elements |
0.88575 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.03921 |
| scoring_system |
epss |
| scoring_elements |
0.88619 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.03921 |
| scoring_system |
epss |
| scoring_elements |
0.88621 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.03921 |
| scoring_system |
epss |
| scoring_elements |
0.88614 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7394 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12166 |
| reference_id |
12166 |
| reference_type |
|
| scores |
| 0 |
| value |
2.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:54:29Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12166 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-7394, GHSA-w6j6-w6jx-vf2r
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hdw7-spv5-k3c6 |
|
| 36 |
| url |
VCID-he4r-v9gv-tkdh |
| vulnerability_id |
VCID-he4r-v9gv-tkdh |
| summary |
Concrete CMS vulnerable to Cross-site Scripting |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43688 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0037 |
| scoring_system |
epss |
| scoring_elements |
0.59355 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.0037 |
| scoring_system |
epss |
| scoring_elements |
0.59352 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.0037 |
| scoring_system |
epss |
| scoring_elements |
0.5924 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.0037 |
| scoring_system |
epss |
| scoring_elements |
0.59364 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43688 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43688, GHSA-9jc5-9wh5-mc36
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-he4r-v9gv-tkdh |
|
| 37 |
| url |
VCID-htqe-191f-1yab |
| vulnerability_id |
VCID-htqe-191f-1yab |
| summary |
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8291 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.57049 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.57175 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.57168 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00339 |
| scoring_system |
epss |
| scoring_elements |
0.57182 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8291 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12183 |
| reference_id |
12183 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-25T17:05:39Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12183 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-8291, GHSA-q7qr-22qw-pqgx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-htqe-191f-1yab |
|
| 38 |
|
| 39 |
| url |
VCID-m9p2-uh8x-zuh8 |
| vulnerability_id |
VCID-m9p2-uh8x-zuh8 |
| summary |
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28474 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.83763 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.83826 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.83829 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.01927 |
| scoring_system |
epss |
| scoring_elements |
0.8382 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28474 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://concretecms.com |
| reference_id |
concretecms.com |
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-16T19:30:45Z/ |
|
|
| url |
https://concretecms.com |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28474, GHSA-2j26-j953-2rph
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m9p2-uh8x-zuh8 |
|
| 40 |
| url |
VCID-mjce-crza-h7d4 |
| vulnerability_id |
VCID-mjce-crza-h7d4 |
| summary |
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43693 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.629 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.63009 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.63014 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00428 |
| scoring_system |
epss |
| scoring_elements |
0.63002 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43693 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43693, GHSA-w8fp-3gwq-gxpw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mjce-crza-h7d4 |
|
| 41 |
| url |
VCID-n6yd-31cx-zqh2 |
| vulnerability_id |
VCID-n6yd-31cx-zqh2 |
| summary |
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-44762 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44812 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44645 |
| published_at |
2026-06-11T12:55:00Z |
|
| 2 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.44796 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00219 |
| scoring_system |
epss |
| scoring_elements |
0.448 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-44762 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-44762, GHSA-6fm3-r6mf-j875
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n6yd-31cx-zqh2 |
|
| 42 |
| url |
VCID-nahk-p3f1-8bee |
| vulnerability_id |
VCID-nahk-p3f1-8bee |
| summary |
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3241 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01237 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01233 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.01227 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.0001 |
| scoring_system |
epss |
| scoring_elements |
0.0123 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3241 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12826 |
| reference_id |
12826 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T15:41:54Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12826 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3241, GHSA-f4vq-pj32-gr4q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nahk-p3f1-8bee |
|
| 43 |
| url |
VCID-nuz6-12nr-2yga |
| vulnerability_id |
VCID-nuz6-12nr-2yga |
| summary |
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks, Chu Quoc Khanh for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8661 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00539 |
| scoring_system |
epss |
| scoring_elements |
0.68027 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00539 |
| scoring_system |
epss |
| scoring_elements |
0.68124 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00539 |
| scoring_system |
epss |
| scoring_elements |
0.68128 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00539 |
| scoring_system |
epss |
| scoring_elements |
0.68115 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8661 |
|
| 1 |
| reference_url |
https://github.com/concretecms/concretecms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/concretecms/concretecms |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12204 |
| reference_id |
12204 |
| reference_type |
|
| scores |
| 0 |
| value |
2.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T20:05:43Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12204 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2024-8661 |
| reference_id |
CVE-2024-8661 |
| reference_type |
|
| scores |
| 0 |
| value |
2.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2024-8661 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-8661, GHSA-xmxj-v2q8-8qx6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nuz6-12nr-2yga |
|
| 44 |
| url |
VCID-pbqg-vpwf-rkfr |
| vulnerability_id |
VCID-pbqg-vpwf-rkfr |
| summary |
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28820 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.65282 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.65291 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.65293 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00473 |
| scoring_system |
epss |
| scoring_elements |
0.65181 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28820 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://github.com/concretecms/concretecms/releases |
| reference_id |
releases |
| reference_type |
|
| scores |
| 0 |
| value |
2 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AC:H/AV:N/A:N/C:L/I:N/PR:H/S:U/UI:R |
|
| 1 |
| value |
2.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-31T16:09:20Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/releases |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.0 |
| purl |
pkg:composer/concrete5/concrete5@9.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-4h16-ay16-qkcs |
|
| 5 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 6 |
| vulnerability |
VCID-56qq-9y15-nkb7 |
|
| 7 |
| vulnerability |
VCID-683x-bjfm-j3hh |
|
| 8 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 9 |
| vulnerability |
VCID-71ae-y44g-kbbw |
|
| 10 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 11 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 12 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 13 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 14 |
| vulnerability |
VCID-9kyu-9sz6-1bea |
|
| 15 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 16 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 17 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 18 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 19 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 20 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 21 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 22 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 23 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 24 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 25 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 26 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 27 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 28 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 29 |
| vulnerability |
VCID-g3pw-h46n-fyac |
|
| 30 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 31 |
| vulnerability |
VCID-h56x-jv8r-a3aq |
|
| 32 |
| vulnerability |
VCID-h67e-b4s5-guac |
|
| 33 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 34 |
| vulnerability |
VCID-he4r-v9gv-tkdh |
|
| 35 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 36 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 37 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 38 |
| vulnerability |
VCID-mjce-crza-h7d4 |
|
| 39 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 40 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 41 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 42 |
| vulnerability |
VCID-pbwe-39av-sydg |
|
| 43 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 44 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 45 |
| vulnerability |
VCID-pt73-zjft-syhk |
|
| 46 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 47 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 48 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 49 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 50 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 51 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 52 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 53 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 54 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 55 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 56 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 57 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 58 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 59 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 60 |
| vulnerability |
VCID-xfwe-ku14-gfe7 |
|
| 61 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 62 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 63 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.0 |
|
|
| aliases |
CVE-2023-28820, GHSA-fgxj-g7x3-85cq
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pbqg-vpwf-rkfr |
|
| 45 |
| url |
VCID-pbwe-39av-sydg |
| vulnerability_id |
VCID-pbwe-39av-sydg |
| summary |
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43686 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00797 |
| scoring_system |
epss |
| scoring_elements |
0.7443 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00797 |
| scoring_system |
epss |
| scoring_elements |
0.74514 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00797 |
| scoring_system |
epss |
| scoring_elements |
0.74516 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00797 |
| scoring_system |
epss |
| scoring_elements |
0.74503 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43686 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43686, GHSA-3cxx-3f53-m92c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pbwe-39av-sydg |
|
| 46 |
| url |
VCID-pd9w-6ke4-13hr |
| vulnerability_id |
VCID-pd9w-6ke4-13hr |
| summary |
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1247 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.08195 |
| scoring_system |
epss |
| scoring_elements |
0.92392 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.08195 |
| scoring_system |
epss |
| scoring_elements |
0.92421 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.08195 |
| scoring_system |
epss |
| scoring_elements |
0.92422 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.08195 |
| scoring_system |
epss |
| scoring_elements |
0.92419 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1247 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.5 |
| purl |
pkg:composer/concrete5/concrete5@9.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 2 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 3 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 4 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 5 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 6 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 7 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 8 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 9 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 10 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 11 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 12 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 13 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 14 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 15 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 16 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 17 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 18 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 19 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 20 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 21 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 22 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 23 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 24 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 25 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.5 |
|
|
| aliases |
CVE-2024-1247, GHSA-q25h-jch8-gfrp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pd9w-6ke4-13hr |
|
| 47 |
| url |
VCID-pgfy-52ca-wbbf |
| vulnerability_id |
VCID-pgfy-52ca-wbbf |
| summary |
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a
stored XSS vulnerability in the "Top Navigator Bar" block.
Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6
with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This
does not affect versions below 9.0.0 since they do not have the Top
Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8660 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00311 |
| scoring_system |
epss |
| scoring_elements |
0.54673 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00311 |
| scoring_system |
epss |
| scoring_elements |
0.54798 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00311 |
| scoring_system |
epss |
| scoring_elements |
0.54814 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00311 |
| scoring_system |
epss |
| scoring_elements |
0.54797 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8660 |
|
| 1 |
| reference_url |
https://github.com/concretecms/concretecms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/concretecms/concretecms |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12128 |
| reference_id |
12128 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T14:26:10Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12128 |
|
| 4 |
|
| 5 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2024-8660 |
| reference_id |
CVE-2024-8660 |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
|
| 1 |
| value |
4.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2024-8660 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-8660, GHSA-998c-q8hh-h8gv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pgfy-52ca-wbbf |
|
| 48 |
| url |
VCID-pt73-zjft-syhk |
| vulnerability_id |
VCID-pt73-zjft-syhk |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43968 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71578 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71589 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71492 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00656 |
| scoring_system |
epss |
| scoring_elements |
0.71591 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43968 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43968, GHSA-8782-xgh5-r7mv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pt73-zjft-syhk |
|
| 49 |
| url |
VCID-qndd-2vmq-guen |
| vulnerability_id |
VCID-qndd-2vmq-guen |
| summary |
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3240 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01379 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01394 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01381 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0139 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3240 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3240, GHSA-45fj-fvmm-xcc5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qndd-2vmq-guen |
|
| 50 |
| url |
VCID-rgjf-p329-vbf8 |
| vulnerability_id |
VCID-rgjf-p329-vbf8 |
| summary |
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3179 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28128 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28142 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28153 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.2793 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3179 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.8 |
| purl |
pkg:composer/concrete5/concrete5@9.2.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 1 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 2 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 3 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 4 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 5 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 6 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 7 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 8 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 9 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 10 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 11 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 12 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 13 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 14 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 15 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 16 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 17 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 18 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 19 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.8 |
|
|
| aliases |
CVE-2024-3179, GHSA-r7q4-cw9r-vhp4
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rgjf-p329-vbf8 |
|
| 51 |
| url |
VCID-rkx3-e4r3-c3gh |
| vulnerability_id |
VCID-rkx3-e4r3-c3gh |
| summary |
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of ZUSO ART https://zuso.ai/ for reporting. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3452 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00273 |
| scoring_system |
epss |
| scoring_elements |
0.51008 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00273 |
| scoring_system |
epss |
| scoring_elements |
0.51142 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00273 |
| scoring_system |
epss |
| scoring_elements |
0.51139 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00273 |
| scoring_system |
epss |
| scoring_elements |
0.51154 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3452 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3452, GHSA-gj26-w59c-29mf
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rkx3-e4r3-c3gh |
|
| 52 |
|
| 53 |
| url |
VCID-tt5n-k5h8-xufp |
| vulnerability_id |
VCID-tt5n-k5h8-xufp |
| summary |
|
| references |
| 0 |
| reference_url |
https://github.com/concretecms/concretecms |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/concretecms/concretecms |
|
| 1 |
|
| 2 |
| reference_url |
https://nvd.nist.gov/vuln/detail/CVE-2025-2967 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://nvd.nist.gov/vuln/detail/CVE-2025-2967 |
|
| 3 |
| reference_url |
https://vuldb.com/?ctiid.302019 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://vuldb.com/?ctiid.302019 |
|
| 4 |
| reference_url |
https://vuldb.com/?id.302019 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://vuldb.com/?id.302019 |
|
| 5 |
| reference_url |
https://vuldb.com/?submit.522417 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://vuldb.com/?submit.522417 |
|
| 6 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-2967, GHSA-xfqf-5rhg-5c73
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tt5n-k5h8-xufp |
|
| 54 |
| url |
VCID-ty11-5ff4-s7av |
| vulnerability_id |
VCID-ty11-5ff4-s7av |
| summary |
Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48653 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.75217 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.7522 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.75137 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00839 |
| scoring_system |
epss |
| scoring_elements |
0.75207 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48653 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.3 |
| purl |
pkg:composer/concrete5/concrete5@9.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 10 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 11 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 12 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 13 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 14 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 15 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 16 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 17 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 18 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 19 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 20 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 21 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 22 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 23 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 24 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 25 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 26 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 27 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 28 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3 |
|
|
| aliases |
CVE-2023-48653, GHSA-3rxx-8f33-7p6p
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ty11-5ff4-s7av |
|
| 55 |
| url |
VCID-tzyh-y7uc-hff9 |
| vulnerability_id |
VCID-tzyh-y7uc-hff9 |
| summary |
Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48650 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01073 |
| scoring_system |
epss |
| scoring_elements |
0.78255 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.01073 |
| scoring_system |
epss |
| scoring_elements |
0.78259 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.01073 |
| scoring_system |
epss |
| scoring_elements |
0.78177 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.01073 |
| scoring_system |
epss |
| scoring_elements |
0.78245 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48650 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.3 |
| purl |
pkg:composer/concrete5/concrete5@9.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 10 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 11 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 12 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 13 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 14 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 15 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 16 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 17 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 18 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 19 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 20 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 21 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 22 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 23 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 24 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 25 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 26 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 27 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 28 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3 |
|
|
| aliases |
CVE-2023-48650, GHSA-x577-gcc9-9xjj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-tzyh-y7uc-hff9 |
|
| 56 |
| url |
VCID-v39f-kpce-2qhz |
| vulnerability_id |
VCID-v39f-kpce-2qhz |
| summary |
In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks zolpak for reporting |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3244 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01381 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01394 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01379 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0139 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3244 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3244, GHSA-mm5f-5rqw-574f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v39f-kpce-2qhz |
|
| 57 |
|
| 58 |
| url |
VCID-vdtu-qtuw-v3fs |
| vulnerability_id |
VCID-vdtu-qtuw-v3fs |
| summary |
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2994 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01454 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01471 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01456 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01463 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2994 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2994, GHSA-6mxw-2vhf-42g5
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vdtu-qtuw-v3fs |
|
| 59 |
| url |
VCID-w8rd-ssb2-pkgx |
| vulnerability_id |
VCID-w8rd-ssb2-pkgx |
| summary |
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1246 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62662 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62771 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62776 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00425 |
| scoring_system |
epss |
| scoring_elements |
0.62764 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1246 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.5 |
| purl |
pkg:composer/concrete5/concrete5@9.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 2 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 3 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 4 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 5 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 6 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 7 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 8 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 9 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 10 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 11 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 12 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 13 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 14 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 15 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 16 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 17 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 18 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 19 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 20 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 21 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 22 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 23 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 24 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 25 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.5 |
|
|
| aliases |
CVE-2024-1246, GHSA-9v3w-cj7m-qh5g
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w8rd-ssb2-pkgx |
|
| 60 |
| url |
VCID-wau6-kvqa-pbgu |
| vulnerability_id |
VCID-wau6-kvqa-pbgu |
| summary |
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4350 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01032 |
| scoring_system |
epss |
| scoring_elements |
0.77756 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.01032 |
| scoring_system |
epss |
| scoring_elements |
0.77831 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.01032 |
| scoring_system |
epss |
| scoring_elements |
0.77825 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.01032 |
| scoring_system |
epss |
| scoring_elements |
0.77838 |
| published_at |
2026-06-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4350 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/12166 |
| reference_id |
12166 |
| reference_type |
|
| scores |
| 0 |
| value |
3.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N |
|
| 1 |
| value |
5.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-09T12:51:55Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/12166 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-4350, GHSA-q5wx-m95r-4cgc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wau6-kvqa-pbgu |
|
| 61 |
| url |
VCID-wqt4-uc3s-zbdn |
| vulnerability_id |
VCID-wqt4-uc3s-zbdn |
| summary |
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48649 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79877 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79869 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79794 |
| published_at |
2026-06-11T12:55:00Z |
|
| 3 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79859 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-48649 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/concretecms/concretecms/pull/11695 |
| reference_id |
11695 |
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:R |
|
| 1 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T14:36:47Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/11695 |
|
| 4 |
| reference_url |
https://github.com/concretecms/concretecms/pull/11739 |
| reference_id |
11739 |
| reference_type |
|
| scores |
| 0 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:L/S:U/UI:R |
|
| 1 |
| value |
3.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T14:36:47Z/ |
|
|
| url |
https://github.com/concretecms/concretecms/pull/11739 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.2 |
| purl |
pkg:composer/concrete5/concrete5@9.2.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 10 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 11 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 12 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 13 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 14 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 15 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 16 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 17 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 18 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 19 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 20 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 21 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 22 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 23 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 24 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 25 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 26 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 27 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 28 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 29 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 30 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 31 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 32 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 33 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.2 |
|
|
| aliases |
CVE-2023-48649, GHSA-36fr-3wg8-q5v8
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wqt4-uc3s-zbdn |
|
| 62 |
| url |
VCID-x48e-w1z4-57ab |
| vulnerability_id |
VCID-x48e-w1z4-57ab |
| summary |
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks sealldev (Noah Cooper) for reporting via HackerOne. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8573 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.59175 |
| published_at |
2026-06-12T12:55:00Z |
|
| 1 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.59178 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.59186 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00367 |
| scoring_system |
epss |
| scoring_elements |
0.59062 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8573 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://www.concretecms.org/download |
| reference_id |
download |
| reference_type |
|
| scores |
| 0 |
| value |
2 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 1 |
| value |
2.0 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-06T14:08:41Z/ |
|
|
| url |
https://www.concretecms.org/download |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-8573, GHSA-c5xf-rmv4-j85h
|
| risk_score |
5.4 |
| exploitability |
2.0 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x48e-w1z4-57ab |
|
| 63 |
| url |
VCID-xfwe-ku14-gfe7 |
| vulnerability_id |
VCID-xfwe-ku14-gfe7 |
| summary |
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43694 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00853 |
| scoring_system |
epss |
| scoring_elements |
0.75376 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.00853 |
| scoring_system |
epss |
| scoring_elements |
0.75455 |
| published_at |
2026-06-14T12:55:00Z |
|
| 2 |
| value |
0.00853 |
| scoring_system |
epss |
| scoring_elements |
0.7546 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.00853 |
| scoring_system |
epss |
| scoring_elements |
0.75447 |
| published_at |
2026-06-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-43694 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.1.3 |
| purl |
pkg:composer/concrete5/concrete5@9.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1zw6-abpq-aqee |
|
| 1 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 2 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 3 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 4 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 5 |
| vulnerability |
VCID-69vg-twmj-jfb2 |
|
| 6 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 7 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 8 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 9 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 10 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 11 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 12 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 13 |
| vulnerability |
VCID-bbxq-cdbp-vucg |
|
| 14 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 15 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 16 |
| vulnerability |
VCID-cyhv-k8b7-u3dc |
|
| 17 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 18 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 19 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 20 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 21 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 22 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 23 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 24 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 25 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 26 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 27 |
| vulnerability |
VCID-j9t7-y29v-6bb7 |
|
| 28 |
| vulnerability |
VCID-m9p2-uh8x-zuh8 |
|
| 29 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 30 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 31 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 32 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 33 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 34 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 35 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 36 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 37 |
| vulnerability |
VCID-s6vy-zjm8-n7bc |
|
| 38 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 39 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 40 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 41 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 42 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 43 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 44 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 45 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 46 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 47 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 48 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 49 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
| 50 |
| vulnerability |
VCID-yjan-urxm-g3a4 |
|
| 51 |
| vulnerability |
VCID-yu9q-pa9p-huck |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.1.3 |
|
|
| aliases |
CVE-2022-43694, GHSA-jfmc-3975-fv5f
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xfwe-ku14-gfe7 |
|
| 64 |
| url |
VCID-yc8g-gqaj-8ycj |
| vulnerability_id |
VCID-yc8g-gqaj-8ycj |
| summary |
Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49337 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64476 |
| published_at |
2026-06-13T12:55:00Z |
|
| 1 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64464 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64472 |
| published_at |
2026-06-14T12:55:00Z |
|
| 3 |
| value |
0.00457 |
| scoring_system |
epss |
| scoring_elements |
0.64362 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-49337 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://hackerone.com/reports/2232594 |
| reference_id |
2232594 |
| reference_type |
|
| scores |
| 0 |
| value |
2.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AC:L/AV:N/A:N/C:N/I:L/PR:H/S:U/UI:R |
|
| 1 |
| value |
2.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
|
| 2 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-26T13:59:44Z/ |
|
|
| url |
https://hackerone.com/reports/2232594 |
|
| 5 |
|
| 6 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.3 |
| purl |
pkg:composer/concrete5/concrete5@9.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 6 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 7 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 8 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 9 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 10 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 11 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 12 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 13 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 14 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 15 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 16 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 17 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 18 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 19 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 20 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 21 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 22 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 23 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 24 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 25 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 26 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 27 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 28 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.3 |
|
|
| aliases |
CVE-2023-49337, GHSA-9xxv-q6pp-96wq
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yc8g-gqaj-8ycj |
|
| 65 |
| url |
VCID-yjan-urxm-g3a4 |
| vulnerability_id |
VCID-yjan-urxm-g3a4 |
| summary |
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28473 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0074 |
| scoring_system |
epss |
| scoring_elements |
0.73474 |
| published_at |
2026-06-14T12:55:00Z |
|
| 1 |
| value |
0.0074 |
| scoring_system |
epss |
| scoring_elements |
0.73476 |
| published_at |
2026-06-13T12:55:00Z |
|
| 2 |
| value |
0.0074 |
| scoring_system |
epss |
| scoring_elements |
0.73461 |
| published_at |
2026-06-12T12:55:00Z |
|
| 3 |
| value |
0.0074 |
| scoring_system |
epss |
| scoring_elements |
0.73386 |
| published_at |
2026-06-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28473 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://concretecms.com |
| reference_id |
concretecms.com |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-27T14:41:07Z/ |
|
|
| url |
https://concretecms.com |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28473, GHSA-pj76-75cm-3552
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yjan-urxm-g3a4 |
|
| 66 |
| url |
VCID-yu9q-pa9p-huck |
| vulnerability_id |
VCID-yu9q-pa9p-huck |
| summary |
|
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28475 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02087 |
| scoring_system |
epss |
| scoring_elements |
0.84375 |
| published_at |
2026-06-11T12:55:00Z |
|
| 1 |
| value |
0.02087 |
| scoring_system |
epss |
| scoring_elements |
0.8443 |
| published_at |
2026-06-12T12:55:00Z |
|
| 2 |
| value |
0.02087 |
| scoring_system |
epss |
| scoring_elements |
0.84439 |
| published_at |
2026-06-13T12:55:00Z |
|
| 3 |
| value |
0.02087 |
| scoring_system |
epss |
| scoring_elements |
0.84432 |
| published_at |
2026-06-14T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-28475 |
|
| 1 |
|
| 2 |
|
| 3 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:composer/concrete5/concrete5@9.2.0 |
| purl |
pkg:composer/concrete5/concrete5@9.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2a3x-n2fy-eqce |
|
| 1 |
| vulnerability |
VCID-2x2h-cef1-yfee |
|
| 2 |
| vulnerability |
VCID-3514-7uhf-pufd |
|
| 3 |
| vulnerability |
VCID-542x-fkyy-sfcp |
|
| 4 |
| vulnerability |
VCID-7mj3-9jvf-vudw |
|
| 5 |
| vulnerability |
VCID-7whk-wmkw-vuec |
|
| 6 |
| vulnerability |
VCID-8war-c3pp-kuf5 |
|
| 7 |
| vulnerability |
VCID-9j62-yk3f-bfgk |
|
| 8 |
| vulnerability |
VCID-9z1s-b811-3ug2 |
|
| 9 |
| vulnerability |
VCID-acs4-8efj-jqa5 |
|
| 10 |
| vulnerability |
VCID-afq8-b83x-ckfn |
|
| 11 |
| vulnerability |
VCID-c2xh-rq7d-wqey |
|
| 12 |
| vulnerability |
VCID-chav-mybs-syd2 |
|
| 13 |
| vulnerability |
VCID-d263-cpsv-fkeg |
|
| 14 |
| vulnerability |
VCID-d4bd-m93f-aqf2 |
|
| 15 |
| vulnerability |
VCID-dgf1-ded8-4uef |
|
| 16 |
| vulnerability |
VCID-dx1t-b982-5ucd |
|
| 17 |
| vulnerability |
VCID-eyep-q35n-ebcv |
|
| 18 |
| vulnerability |
VCID-fvdb-zeth-8qh7 |
|
| 19 |
| vulnerability |
VCID-g134-5qhy-mudn |
|
| 20 |
| vulnerability |
VCID-gg3x-yz6u-nygp |
|
| 21 |
| vulnerability |
VCID-hdw7-spv5-k3c6 |
|
| 22 |
| vulnerability |
VCID-htqe-191f-1yab |
|
| 23 |
| vulnerability |
VCID-n6yd-31cx-zqh2 |
|
| 24 |
| vulnerability |
VCID-nahk-p3f1-8bee |
|
| 25 |
| vulnerability |
VCID-nuz6-12nr-2yga |
|
| 26 |
| vulnerability |
VCID-pd9w-6ke4-13hr |
|
| 27 |
| vulnerability |
VCID-pgfy-52ca-wbbf |
|
| 28 |
| vulnerability |
VCID-qndd-2vmq-guen |
|
| 29 |
| vulnerability |
VCID-rgjf-p329-vbf8 |
|
| 30 |
| vulnerability |
VCID-rkx3-e4r3-c3gh |
|
| 31 |
| vulnerability |
VCID-tgvt-rgwm-d7de |
|
| 32 |
| vulnerability |
VCID-tt5n-k5h8-xufp |
|
| 33 |
| vulnerability |
VCID-ty11-5ff4-s7av |
|
| 34 |
| vulnerability |
VCID-tzyh-y7uc-hff9 |
|
| 35 |
| vulnerability |
VCID-v39f-kpce-2qhz |
|
| 36 |
| vulnerability |
VCID-vbae-fwnr-zff5 |
|
| 37 |
| vulnerability |
VCID-vdtu-qtuw-v3fs |
|
| 38 |
| vulnerability |
VCID-w8rd-ssb2-pkgx |
|
| 39 |
| vulnerability |
VCID-wau6-kvqa-pbgu |
|
| 40 |
| vulnerability |
VCID-wqt4-uc3s-zbdn |
|
| 41 |
| vulnerability |
VCID-x48e-w1z4-57ab |
|
| 42 |
| vulnerability |
VCID-yc8g-gqaj-8ycj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.0 |
|
|
| aliases |
CVE-2023-28475, GHSA-vcpr-hm2m-gjjj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yu9q-pa9p-huck |
|