Security

There have been a number of medium and low security vulnerabilities that have been fixed in version 9.2.2. Also, as part of our commitment to extend support to Concrete CMS version 8.5 through 2024, we have backported a large number of security fixes into Concrete 8.5.13. We are also updating a number of published Concrete CVEs to clarify that they do not apply to version 8.5. [updated 21 Nov 2023 to provide CVE numbers]

If it is a valid vulnerability, the team can make sure there’s a fix available before the vulnerability is disclosed to the public. That makes the internet safer for all! If it is not a valid finding, the reporter can learn more about the system, the public is not alarmed unnecessarily, and everyone can save time.  

Concrete CMS is requesting that MITRE close CVE-2023-44763 which was submitted by a community member without the Concrete CMS Team knowledge. 

It recently came to our attention that the NIST misunderstood the likelihood and impact of a vulnerability that PortlandLabs, the founders and maintainers of the open source project Concrete CMS reported recently.

There have been a number of medium and low security vulnerabilities that have been fixed in version 9 through 9.2. Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security so that they can be triaged and remediated!

Fortbridge, an independent external penetration testing firm, has just concluded the 2022 annual penetration testing and vulnerability assessment of Concrete CMS Hosting as well as the open source project. If you host sites or intranets on Concrete CMS Hosting, we would be happy to provide you with a copy of the report upon request. 

We recently announced that Concrete v8 will be end of life late 2022, but that doesn’t have to mean you won’t be able to run a Concrete v8 site beyond New Year's. 

[Update 14 Nov 2023 - Concrete v8 will have extended security maintenance through 2024]

Updated 2022-09-14: Critical Security updates for Concrete v8 will be issued through end 2023.  More info -  https://www.concretecms.org/about/project-news/security/security-support-concrete-v8x  

Original Blog: 

Please be aware that Concrete CMS version 8 will be EOL on 31 Dec 2022. We encourage you to plan to upgrade to Concrete version 9 before then. You are going to love the new features that come with version 9!

Concrete CMS has had a privacy policy for years which encompassed the Concrete related websites and the open source project. Now we have created a Concrete CMS Hosting Privacy Policy for those who host their websites and intranets with us. 

We are normally informed about supply chain hacks like this one from sources such as US-CERT (Homeland Security), DoD ARCYBER, SANS and the like. Official sources like these are important to follow to stay current, but yesterday we saw one happen more or less in real time.