There have been a number of medium and low security vulnerabilities that have been fixed in version 9 through 9.2. Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security so that they can be triaged and remediated!
Concrete CMS Security Advisory 2023-04-20
Please note that CVE-2022-46464 was NOT created by the Concrete CMS team. After finding out about the CVE and investigating, our security team has determined that it is not a valid vulnerability. We have informed MITRE to have it recalled.
We have obtained the following new Concrete CMS CVEs to advise the community of validated weaknesses in previous versions.
CVE-2023-28477
Concrete CMS (previously concrete5) below 9.2 is vulnerable to stored XSS on API Integrations via the name parameter. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. Concrete CMS Security team scored this 5.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N. Thanks Veshraj Ghimire for reporting H1 1753684 and providing the fix.
CVE-2023-28476
Concrete CMS (previously concrete5) below 9.2 is vulnerable to Stored XSS on Tags. Prior to fix there was no sanitation when adding tags on uploaded files. Concrete CMS Security team scored this 4.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N. Thanks Veshraj Ghimire and Ashim Chapagain for reporting H1#1767949 and providing the fix.
CVE-2023-28475
Concrete CMS (previously concrete5) below 9.2 is vulnerable to Reflected XSS on the Reply form since msgID was not sanitized. Concrete CMS Security team scored this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. Thanks Bogdan Tiron from Fortbridge for reporting H1 1772092.
CVE-2023-28474
Concrete CMS (previously concrete5) below 9.2 is vulnerable to Stored XSS on Saved Preset. Prior to fix, there was no sanitation when saving presets on search. Concrete CMS Security team scored this 3.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N Thanks Veshraj Ghimire for reporting H1 1768494
CVE-2023-28472
Concrete CMS (previously concrete5) below 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies. Concrete CMS Security team scored this 3.4 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N .
CVE-2023-28473
Concrete CMS (previously concrete5) below 9.2 is vulnerable to possible Auth bypass in the jobs section. Concrete CMS Security team scored this 2.2 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N Thanks Adrian Tiron from Fortbridge for Reporting H1 1772230
CVE-2023-28471
Concrete CMS (previously concrete5) below 9.2 is vulnerable to Stored XSS on container name. Prior to fix, there was no sanitization on the container name.Concrete CMS Security team scored this 2.0 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. Thanks Ashim Chapagain for reporting H1: 1866111
CVE-2023-28821
Concrete CMS (previously concrete5) below 9.1 did not have a rate limit on reset password. The fix relies on a completely new library added to version 9 which is not in version 8. The Concrete CMS Security team scored this 5.3 with CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. Thanks @0x0002 for reporting H1 1480296
CVE-2023-28819
Concrete CMS (previously concrete5) below 9.1 is vulnerable to Stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. The Concrete CMS Security team scored this 3.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. Thanks solov9ev for reporting H1 1472270.
CVE-2023-28820
Concrete CMS (previously concrete5) below 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute since the link element input was not sanitized. The Concrete CMS Security team scored this 2.0 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. Thanks Anna for reporting H1 1483104
Please also be advised that Concrete CMS (previously concrete5) version 9.0.0 - 9.1.3 contains vulnerable moment.js which could result in slowing Concrete CMS if a Concrete CMS administrator purposefully passed user provided dates into the moment.js library. Thanks Fortbridge and also Christian for reporting.