Headline
CVE-2023-28821: Releases · concretecms/concretecms
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.
9.2.0
Major New Features
- Refinements to the in-page editing experience: better highlight of editable blocks and areas, better delineation of containers, layouts and in-page areas, better hit areas for draggable blocks and much more.
- New “Site Health” Hub: run reports against your site to ensure that its optimally configured. Extensible reports engine ships with the ability to check site for production status settings, cache settings, unauthorized JavaScript and more. Learn more at https://www.youtube.com/watch?v=K76xk1E6hPE
- Complete 1.0 REST API with coverage of major Concrete CMS features, including pages, users, files, Express objects and more.
New Features
- Added production modes to the Dashboard - tell Concrete whether this copy is in development, staging or production mode. Useful when running security health checks, or automatically displaying a staging notice to admins or visitors on a staging copy of a site.
- Added the ability to view and retry failed queue messages within the Dashboard and through the use of a command line tool. (https://www.loom.com/share/83530934986940b98f74ebe108e49c6e)
- Added a button to clear all running processes in case any get stuck.
- Adds ability to configure Composer form sets to be collapsable (thanks Mesuva)
- Adds option to filter events in Event List by Past, Future or All Events (thanks katalysis)
- Adds option to change sort order by Most Recent First or Oldest First (thanks katalysis)
- Added new password strength meter to user creation and password changing Dashboard pages (thanks shahroq)
- Added new URL Slug Dashboard page to the SEO section, where you can change settings related to URL slugs (thanks hissy)
- We no longer fall back to using the super admin’s email address as the default address if certain specific addresses aren’t set; instead we use a new config value “default email address”, settable in config code and from the Dashboard email options page (Thanks mlocati)
- Added the ability to specify several allowed IP addresses to avoid triggering logout on IP address change. Added user-specific IP address overrides as well (thanks mlocati)
- Improvements to user experience when passwords are reset for users by administrators, either for a single user, or for all users in the site (mlocati). Users will no longer have to enter their email addresses twice, and will no longer be told that they’re in the “forgot password” user flow, when they’re actually in the manual reset user flow.
- Added the ability to force user passwords changes every X days (thanks mlocati)
- Added the ability to mark a password as reset from a Dashboard user detail page (thanks mlocati)
- Add more info in user details dashboard page (thanks mlocati)
- Added a new full page caching setting that determines the lifetime of the page based on the blocks on the page (thanks hissy)
- Defaulted file manager and file manager component in chooser to sorting by name ascending for more consistent behavior.
- New user avatar editor component in My Account and Dashboard.
- Added a config option to disable asciify for uploaded files (thanks hissy)
Behavioral Improvements
- Improved display of View Page as User panel.
- Using group paths when group operations are logged instead of group names (thanks mlocati)
- Activating the Elemental or Atomik themes after installation will install required supported templates.
- Added min fields to page list block number fields (thanks ccmEnlil)
- Core guest, registered and admin groups once again forced to be created with the proper initial IDs (thanks mlocati)
- New conversations message notifications now appear in Waiting for Me.
- Top Navigation Bar block now correctly links to the multilingual home pages, and includes nav-path-selected CSS classes on parent pages of active pages.
- Top Navigation Bar now honors nav target custom attribute (thanks ccmEnlil)
- API Integrations can limit which Concrete CMS product areas they cover via custom scopes.
- Add missing for attribute to checkbox label of option list attribute (thanks Mesuva)
- SMTP config page: don’t send the SMTP password to the clients (thanks mlocati)
- Fix UI of “Update Languages” dashboard page (thanks mlocati)
- Heartbeat backend call updates “Online Now” user property (thanks mlocati)
- Add option to disable asciify on generate url slug (thanks hissy)
- Performance improvement: All global areas’’ blocks no longer loaded on every page load (thanks mnakalay)
- Fixed: Breadcrumb block doesn’t respect replace_link_with_first_in_nav attribute (thanks hissy)
- Fixed error where Express Entry List criteria in the block were being shown twice.
- Changed image slider URL field from textarea to text input for better display and less ability to mess up input by putting in newlines (thanks nikolai-nikolajevic)
- Dashboard Environment Information page now wraps its content properly (thanks JohnTheFish)
- Fixed error where containers when used on page would block that page from engaging in automated full-page caching (thanks hissy)
- Added date/time of previous login to Welcome back dashboard and account screens.
- File title is now included when searching via the file manager file/folder interface.
- Much improved, more uniform appearance to select pickers and combo boxes when using autocomplete functionality.
- Better block caching settings for certain core block types (thanks
- Added additionally indexes throughout (thanks jlucki)
- Performance Improvement: Avoid getting same attribute values multiple times (thanks hissy)
- Added a new publish notification if a page has a publish end date that is earlier than the current date (and is therefore closed) (thanks hissy)
- Alias pages are no longer included in sitemap.xml.
Bug Fixes
- Fixed: Express Form Block submission cannot be edited (thanks mnakalay)
- Fixed bug: Viewing versions of a page with permissions does not work
- Fixed bug: Page preview fails if page is protected
- Fixed bug: Unable to view mobile preview, page versions panel detail, custom design before publish the page
- Fixed bug where unapproved conversation messages were being sent to subscribers.
- Fixed bug where advanced search dialogs in the Dashboard weren’t accurately showing default search and sort order selections.
- Add the missing user param on page_version_approve event (thanks chauve-dev)
- Fix sorting results of FolderItemList by file title when only full group by SQL mode is enabled (thanks mlocati)
- Many bug fixes to searchable lists.
- Bug fixes to Tags attribute that fixes inability to remove tags, other problems.
- Fixed: For draft pages, the destination is the Drafts directory if you create the page in another language.
- Fixed inability to use query parameter ccm_order_by broken with block express_entry_list (thanks mnakalay)
- Fixed issue where editing a JPEG using the image editor would save that file with the JPEG extension but the file behind the scenes was actually a PNG.
- Fixed Calendar block not being properly localized.
- Fix issue under PHP8 when saving select/option attributes with no selected values (thanks Mesuva)
- Fixed bug where tag block showing tags on a specific page did not limit properly.
- Fixed /concrete/single_pages/download_file.php:23 Undefined variable $fID under PHP 8.
- Fixed inability to set home folder when editing a user in the Dashboard.
- Fixed: [V9][Bug] Order by FileSet not working in Document Library Block (thanks mnakalay)
- Fixed: “select fileset” dialog in file manager doesn’t retain file set values (thanks mnakalay)
- Fixed error registering users with email validation under PHP 8.
- Exporting users now checks the permission of the access user export permission.
- When running validate-schema via the console no more errors are reported (thanks biplobice)
- Fixed errors regarding titleFormat in multiple blocks under PHP8
- Fixed error when placing site into maintenance mode.
- Fixed: Dashboard user attributes always required when present and empty even if not required when editing attributes
- Fixed: If ID of the Home page isn’t 1, we can’t manage access rights to site
- Image attribute causing js error in composer and attribute panel (thanks mlocati)
- Fixed bug where marking a page description as required in composer made it impossible to approve the page version even when description was specified.
- Fixed error when hiding username on new registration form under PHP 8.
- Fixed error using layout sliders on non-Bedrock themes.
- Many small errors and code incompatibilities fixed in group notifications (thanks mlocati)
- Fix handling of page removal when deleting a calendar event (thanks mlocati)
- Fixed PHP errors when using Legacy Form block with PHP 8 (thanks mlocati)
- Fixed some exceptions in BlockController when using PHP8 (thanks biplobice)
- Fixed Wrong params order in the call of View::element(), under elements\workflow\edit_type_form_required.php (thanks BSalaeddin)
- Fixed bug where removing orphaned blocks that are part of page defaults for a page template deletes them from all pages of that type (thanks hissy)
- Fixed error when using Check Automated Groups task.
- Fixed error when saving page type order in the Page Type Order and Group Dashboard page under PHP 8 (thanks hissy)
- Fixed error when visiting URL of deleted private message: Undefined property: Concrete\Core\User\PrivateMessage\PrivateMessage::$uID
- Fixed: Tags Block Ignores Display Limit
- Fixed JavaScript error in version 9 themes when using address attributes.
- Fixed: Presets transparent less variable are replaced by colors when upgrading to concrete version 9 (thanks apaccou)
- Fixes in browsers where certain asynchronous operations could result in a popup saying “undefined” when navigating away from a page
- Fixed: Attempting to delete the “social block” gave displayOrder error under PHP 8.1.
- Fixed: Bugfix: Bul…
8.5.12
Bug Fixes
- More PHP 5 fixes (thanks mlocati)
- Improved testing for PHP 5 compatibility
8.5.11
8.5.11****Bug Fixes
- Restored support for PHP 5.6
9.1.3
9.1.3****Behavioral Improvements
- Made the legacy_salt functionality easier to read
Security Fixes
See our security release blog post for more information about security fixes.
Medium
- CVE-2022-43693 Added “state” parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43686 Improved performance of “forever” cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.
Low
- CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
Not Ranked
- Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
- Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
8.5.10
8.5.10****Bug Fixes
- Fix ZendCacheDriver does not set lifetime properly (thanks hissy)
- Made the legacy_salt functionality easier to read
Developer Updates
- Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
- Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)
Security Fixes
See our security release blog post for more information about security fixes.
Medium
- CVE-2022-43693 Added “state” parameter to OAuth client by default to prevent CSRF. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43692 Sanitized output to prevent XSS in dashboard search pages. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43694 Sanitized output in API endpoint to prevent potential reflected XSS in the Image Manipulation Library. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43967 Sanitized output in multilingual dashboard report to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43968 Sanitized output on the icons dashboard page to prevent reflected XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43686 Improved performance of “forever” cookie to prevent DOS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43691 Hide $_SERVER and $_ENV output from whoops by default to prevent information disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43687 Generate a new session ID when authenticating through OAuth to prevent session fixation. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- Sanitized dashboard breadcrumbs to prevent stored XSS. Thanks @_akbar_jafarli_for reporting HackerOne report #1696363.
Low
- CVE-2022-43695 Sanitized entity names in entity association dashboard page to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43690 Use strict comparison when testing against legacy password algorithm to prevent against potential integer conversion. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43688 Sanitize Microsoft tile icon to prevent stored XSS. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
- CVE-2022-43689 Disable entity expansion when sanitizing SVGs to prevent DNS based IP disclosure. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for reporting.
Not Ranked
- Added a warning for admins when they are potentially giving more access than they expect when they set certain advanced permissions. Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
- Added a warning when moving groups that permissions of the new parent group will be granted to the child group but the child group will retain all previous permissions.Thanks Bogdan and Adrian Tiron from FORTBRIDGE for suggesting.
9.1.2
New Features
- Added “Exclude Current Page” option to the Page List block (thanks ccmEnlil)
- Added new “Upload Settings” Dashboard page to configure file upload settings, including chunking, chunk size, and parallel streams (thanks mlocati).
Behavioral Improvements
- WebP images now supported by the file manager. WebP images will show up with the proper extension and thumbnail (assuming the browser supports them). File extension added to the file manager list view.
- Many minor UI fixes throughout Dashboard pages and edit dialogs (thanks shahroq)
- Improved display of Environment information Dashboard page: larger window of text.
- Removed ability to approve versions of drafts – because they need to be published first.
- If a folder is specified as the root folder of a document library, uploaded files will be placed in this folder if uploaded through the document library.
- Nicer version history view in add-on update screen (thanks biplobice)
- Much improved scrolling of page when dragging blocks into the page using the Atomik theme.
- Fixed weird Chrome behavior where sometimes dialog windows would have a fully opaque black background.
- Added the ability to toggle passwords when adding a user or change your user’s password (thanks shahroq)
- API Integrations Dashboard page now more suitable for situations where many integrations exist. Supports search, pagination, etc…
- Add a pull down menu to set datetime format for CSV exports (thanks hissy)
- Hide username on edit profile when it is not required on registration (thanks hissy)
- Allow for saving Hero Image Blocks without Image while avoiding the current datatype Exception (thanks haeflimi)
- Mercure overhauled to default all Concrete events to private (for better security).
- Added additional configuration methods to Server-Sent Events (Mercure) to allow for more advanced configuration use cases.
- Fixed display of CMS when wrapping areas in text-align styles.
- Added environment hostname and name to Environment page (thanks shahroq)
- Improvements to Event List block edit dialog.
- Improved display of navigation in the Express Dashboard pages (thanks shahroq)
- Improvements to the Concrete user input component (thanks mlocati)
- By default, login will take you to the home page of your site (this can be changed from the Login Destination Dashboard page, if desired.)
Bug Fixes
- Fixed bug where automated groups were not working properly.
- Fixed bug where users could not change the custom template of a block in a Stack.
- Fixed custom options forms not showing properly in third party Captcha packages
- Fixed error editing Hero Image block in PHP 8+ when title format had not been set.
- Fixed bugs under PHP 8+ when configuring advanced properties of advanced permissions.
- Fixed: Background Color of a custom skin can no longer be cleared but destroy the custom skin itself
- Fixed: Adding layout throws error in console "Cannot read properties of undefined (reading ‘closest’)" in v9.1.1
- Fixed display issues and content issues in the Help panel.
- Added some better content in the help panel.
- Fixed bug where Copy languages feature copied all pages instead of only pages that have not been associated.
- Fixed: Setting Atomik Top Navigation Bar Color to transparent breaks theme cusomiser
- Fixed bug in Atomik sample content where blog posts weren’t showing up because they were going in with dates that were too old.
- Fixed bug where only the super user could assign user groups or remove user groups through the bulk editing interface.
- Fix/error in reindex contents task with Page Objects when pages are in the trash/don’t have a public date (thanks deek87)
- Fixed error in breadcrumb block rendering when parent pages were unapproved (thanks hissy)
- Fixed bug where editing block visibility at certain device breakpoints via custom design was not working (thanks deek87)
- Fixed bug where clearing the site’s cache may lead to an error when using custom cache drivers like Redis (thanks chauve-dev)
- Fixed bug where “page topics” filtering option in Event List block didn’t work and didn’t present a list of topics.
- Fixed bug where large images added via the Content block would burst out of the Atomik theme.
- Fixed bug where images saved in the database with UUID placeholders didn’t display properly (can happen when using the migration tool with version 9)
- Fixed bug where calendar block would not display properly on older themes.
- Fixed bug where pages would not validate in the w3c validator due to a closing </link> tag being present.
- Fixed error when adding an Event List block where topic attributes were present under PHP 8.1 (thanks TMDesigns)
- Fixed error when changing locale on Multilingual Setup page (thanks jocomail78)
- File upload chunking now works again (if enabled) (thanks mlocati)
- Fixed: “Your Computer” tab initially empty when swapping files in the file manager (thanks mlocati)
- Fixed bug where filtering by topic tree in the Event List block didn’t show a topic tree to choose from.
- Fixed miscellaneous bugs in Event List block edit dialog.
- Fixed ability to edit certain content in the rich text editor in the Accordion block.
- Fixed interaction where adding a layout and then cancelling would hide the area the layout was added to until the page was reloaded.
- Fixed gallery block error where a gallery referencing a deleted image would cause an Exception (thanks JeffPaetkau)
- Fixed: In php 8 when signed in as a non super user an error occurs when accessing the /dashboard/extend/update page due to $mi not being defined (thanks danklassen)
- Fixed dialogs/block/design.php - Line 12 has an extra closing php tag (thanks ConcreteOwl)
- Fixed Back button not taking you anywhere when viewing an Express entry that was owned by another Express entry.
- Fixed bug on Organize page types Dashboard page under PHP 8.1.
- Fixed error adding basic workflow in PHP 8.1.
- Fixed error editing groups under PHP 8 (thanks hissy)
- Fixed “An exception occurred while executing 'insert into CollectionVersionBlocks” when changing page template.
- Fixed: When using PHP8 if you turn Advanced Permissions on then try to add Block Permissions you’re met with this error.
- Fixed: Setting nothing to Items Per Page option of Express Entry List causes an error
- Fixed: Incorrect tag namespace for multilingual sitemap generation (thanks gregheafield)
- Fixed: Page Selector Attribute - Search& Indexing broken (thanks haeflimi)
- Bug fixes for Page List block under PHP 8.1 (thanks ccmEnlil)
- Fixed: Express Form Block E-Mail notification doesn’t respect form field Order
- Fixed: Express Form Block E-Mail notification – URL to entries doen’t work and leads to empty page
- Fixed error when updating file sets in PHP8+ (thanks ccmEnlil)
- Fixed errors when using Server-Sent events introduced in 9.1.0
- Fixed bug when using magic method in form helper to create previously undefined form input types (thanks JohnTheFish)
- Fixed bug where page list block would offer the number of entries as the rss feed title if the block was being edited.
- Fix LaminasCacheDriver does not set TTL properly (thanks hissy)
- Fixed: Saving Page with Legacy Attribute Error with PHP8
- Fixed ugly styling for authentication when logging in via Oauth2
- Fixed community authentication (community.concretecms.com) - now it works again.
Backward Compatibility Notes
- Tweaked Auto-Nav block controller to fix issue with Community Store breadcrumb custom template.
Developer Updates
- Private properties in Select Attribute Controller updated to be protected (thanks biplobice)
- MessageBusManager library improvements for extension
- Update the URL of the Doctrine XML repository/GitHub Pages (thanks mlocati)
- Any custom integrations using Mercure (likely very few, if any) should be checked over – Mercure system has been completed overhauled, including an update to Symfony Mercure 0.61.
- Added on_get_page_wrapper_class() custom event to allow developers to customize classes delivered by this method (thanks JohnTheFish)
- Let translators swap file extension and file type (thanks mlocati)
- Added ability to pass class to tabs method (thanks shahroq)
- Form helper __call magic method can now output form types that have dashes in them (thanks mlocati)
- Add an option to the DeleteGroup command to skip deleting groups with users
- Added application/pdf to the types of files that can be used with view_inline (thanks hissy)
8.5.9
Bug Fixes
- Fixed inability to upload files when file chunking is disabled.
- Fixed bug that prevented file chunking from also working.
- Reverted code that accidentally made the core require PHP 5.6+ in some situations.
8.5.8
Behavioral Improvements
- JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
- Renamed concrete5 to Concrete CMS and Concrete during the installation process.
- Nicer version history view in add-on update screen (thanks biplobice)
Bug Fixes
- Fixed error that would occur if you deleted an Express entry and then attempted to reorder that same entry on the page before reloading (thanks biplobice)
- Fixed error where users, files and sites weren’t being reindexed when running the index_search_all job.
- Fixed error where copying conversation blocks out from page defaults made them all one instance of the same conversation (thanks hissy)
- Validating Express, User and Page attribute types now works when used with Composer and Expres (thanks hissy)
- Fixed bug in Redis caching backend when saving a primitive value.
- Fixed: when using the Express Form block, and a file is uploaded through the form, it creates two versions of the file, which are seemingly identical (thanks 1stthomas)
- Fixed: Clear old page versions in all site trees when running remove page versions job (thanks Ruud-Zuiderlicht)
- Fixed bug where OAuth2 and sign in as user functionality could lead to someone unintentionally joining their user account to a different account.
- Render single pages like 404, 403, login, register in default site locale (thanks hissy)
- Fixed: : error message doesn’t display when upload file failed via drag & drop (thanks hissy)
- Fixed invalid and unhelpful displaying on marketplace connection failures during certain conditions (thanks JohnTheFish)
- Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
- Fixed: Multilingual copy site tree with alias pages (thanks hissy)
- Fix migration bug on fix overlapping start end dates when custom page publishing dates had been set in some cases (thanks hissy)
- Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)
Security Fixes
- CKEditor updated from 4.16.2 to 4.18.0 (thanks hissy)
- Remediated CVE-2022-21829 - Concrete CMS Version 9.0.2 and below and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even if a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting on HackerOne - https://hackerone.com/reports/1482520
- Remediated CVE-2022-30117 - Concrete CMS version 9.0.2 and below and 8.5.7 and below allowed traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn’t match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting https://hackerone.com/reports/1482280
- Remediated CVE-2022-30120 - XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Dashboard Stacks page sort URLs are now sanitized. Concrete CMS Security team ranked this vulnerability 3.1 with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting https://hackerone.com/reports/1363598
- Remediated CVE-2022-30119 - XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are output can be exploited for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
- Remediated CVE-2022-30118 - XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: \ old browsers only.
When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete CMS version 9.02 and below and Concrete CMS 8.5.7 and below can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting https://hackerone.com/reports/1370054
9.1.1
Behavioral Improvements
- Enhancement: adding the ability to pass association ID through request and pick it up in the form
- Adding associations to Express form notifications
- Top Navigation Bar block now honors the nav_target custom attribute, if it exists (thanks ccmEnlil)
Bug Fixes
- Fixed bug in /ccm/system/upgrade script on PHP 8.1 (thanks ccmEnlil)
- Fixed upgrade inconsistencies that could cause problems for installers like Softaculous
- Fixed Accordion Block: when the initial state set to ‘all items open’ or ‘all items closed’ the collapsed state is not always correct (thanks danklassen)
- Fixed compatibility with PHP 8.1 when installing with Composer.
- Fixing bug where Express entries with multiple associations could not be filtered accurately in advanced search
- Fixing bug where submitted values do not persist in Express association forms
- Fixed: Changing the page template of a draft breaks block versioning (thanks jaromirdalecky)
- Fixed: Duplicating file as non-super admin does not work due to permissions key (thanks danklassen)
- Fixed: core search block: the form tag has two class attributes
- Fixed null pointer Exceptions when using area layouts under certain conditions (thanks biplobice)
Developer Updates
- Laminas cache laminas/laminas-cache-storage-adapter-memory library updated to 2.0 in order to restore compatibility with PHP 8.1 when installing via Composer
- Fixed: Block::isOriginal() returns opposite value (thanks jaromirdalecky)
9.1.0
New Features
- Improved appearance and functionality when editing block, area, layout and container styles inline in the page (thanks deek87)
- Added the ability for an Express attribute to be marked as unique, provided its attribute type supports it. Unique attributes will be useful for SKUs, enforcing email uniqueness, etc…
- Much improved version comparison feature that can compare the HTML of two page versions and highlight differences (thanks deek87 and hissy)
- Feature Link block improvements: Adds option for ‘link’ styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
- Hero Image block improvements: Adds option for ‘link’ styled button using BS5 .btn-link button class, Adds the option to include an icon in the button and to have icon only buttons. Moves some construction of the button to the view file to allow easy comprehension/modification/extension in Block Templates by novice developers (thanks Katalysis)
- Added new Security Policy page in the Dashboard (thanks hissy)
- Added a “Revert to Draft” command button on published pages in the Composer interface (thanks hissy)
- Improvements and refinements to Dashboard file details screen in desktop and mobile views.
- Added the ability to move a file folder in the Dashboard file manager.
- Added the tree view back to the Groups Dashboard page.
- Add title field for YouTube and Video block types for better accessibility (thanks Mesuva)
Behavioral Improvements
- Express attributes no longer need to be unique across all Express objects. Instead attribute handles can be reused provided they’re not reused within the same object.
- New Express forms will be created when Express Form blocks that have been copied are edited in their new locations (thanks Xanweb)
- File chooser has improved view and functionality; bug fixes; adding width, height and size to list and grid view; adding detail image callout on hover.
- Task Options in the Dashboard have have been moved into a modal dialog when present, so they’re harder to miss (thanks deek87)
- Express entity attribute handles now can be reused as long as they’re not reused within the same Express object.
- You can now click on the entire row of a Dashboard results table (like the page search, file manager, etc…) and go to the detail URL.
- Better display of inline floating commands for things like containers and block move.
- We now show the container name when hovering over containers in edit mode.
- Reinstated CSS and JavaScript asset post-processing cache setting; restructured the Dashboard Cache Settings page for better grouping of functionality and explanation.
- Improve display of Recaptcha settings page.
- Appearance improvements to Waiting for Me and the Dashboard desktop.
- Active classes for pages added to the output of the Top Navigation Bar block (thanks danklassen)
- Locale home page is now undeleteable when using multilingual sites.
- Miscellaneous performance improvements for logged-in users (thanks hissy)
- Added rate limiting to Forgot Password using the built-in IP Allowlist/Denylist functionality
- Better usage of meta canonical tag in page under certain circumstances (thanks hissy)
- File folders now cannot be deleted if they have sub-folders or sub-files in them.
- Display improvements to inline style dropdown (no more too-dark panels with no contrast.)
- Better automatic display of the “Approve Stack” button when editing block parameters, styles and permissions in the stacks Dashboard page.
- Don’t allow users to delete site types until they have removed all sites of that type.
- Improvements when Concrete is installed in a subdirectory instead of the root directory of a website.
- Added the ability to view a user’s public profile from their Dashboard user details page.
- Added --session-handler to the console install utility. Set to database if you’d like to override the default file-based sessions.
- Gotten rid of the behavior where certain dynamic trees cause pages to scroll to them on load (visible on Express Object details edit, adding groups, using the Groups selector in custom Dashboard pages, and more)
- JavaScript and CSS assets now have the timestamp of when the cache was last cleared appended to them (thanks deek87, haeflimi)
- Added the link back to the “Data Objects” Express management interface from the header of that Express objects results page.
- Added URL Path as a column that can be added to the Page Search interface.
- Fixed: Login page forces gray background on custom themes
- Fixed: Scheduled page publishing doesn’t purge the page cache (thanks hissy)
- Added more caching to certain objects to improve performance (thanks hissy)
- Pre-selected File Storage Location For Nested Folder
Bug Fixes
- Much improved PHP 8 compatibility fixes for all core block types (thanks deek87)
- Fixed user permissions for searching users with non super admin not working in sites upgraded from 8.5 until permissions were reset.
- Fixed inability to assign groups, users, group sets or group combinations to group permissions when updating from 8.5.
- Improvements to core libraries to allow for installation on PHP 8.1 w/Composer.
- PHP 8 compatibility fixes for Calendar (thanks deek87)
- Fixed: Database Character Set is no longer showing current character set.
- Fixed: Missing font selection for body font in Atomik customizer when using Default skin.
- Fixed: Batch Task with empty batch does not finish running
- Fix Top Navigation Bar block ‘include sticky nav’ setting not set appropriately when editing the block
- Fixed inability to drag an individual block out of the stacks panel in a page.
- Fixed: Document Library advanced search fields do not display
- Fixed “Express form error dirty entity” error that users might see when creating forms on the front-end.
- Fixed bug where attribute data validation routines weren’t being run when updating certain objects and certain objects in bulk.
- Fixed: Express Calendar and Calendar Event Attributes Not Correctly Implemented
- Fixed: “Added to Page” File search filter doesn’t work
- Fixed: Schedule Guest Access doesn’t work (thanks HamedDarragi)
- Fixed: Page Search in chooser dialog doesn’t work (thanks HamedDarragi)
- Fixed: The multilingual panel/page relations panel didn’t allow you to create pages in the multilingual trees from the related page - and it used to.
- Fixed strange appearance in Dashboard sitemap selector when using multisite and multiple locales.
- Fixed bugs with using custom file attributes with the Document Library block.
- Fixed theme customizer not working on legacy LESS-based themes when being used with a large number of LESS variables.
- Fixed inability to see sort icons on attributes in the Dashboard.
- Fix Auto-Nav showing duplicate tabs in themes based on Bootstrap 3 (thanks lvanstrijland)
- Fixed: When using more than one user search criteria by group, one to include groups and one to exclude groups, we get the wrong results (thanks mnakalay)
- Fixed: Accordion block doesn’t load required assets when not using BS5 based theme.
- Fixed Error when try to edit ‘express details block’ (thanks Ruud-Zuiderlicht)
- Fixed edit page type basic details error on PHP 8.
- Tooltips now work properly again in Composer interface (thanks danklassen)
- Fixed inability to create and update skins for themes that had a large number of parameters under certain conditions.
- Fixed errors that would occur when creating a site, enabling multilingual, setting a new source locale, and deleting the original default locale.
- Fixed: User activation workflow, Activate action not working
- Fixed: 9.0.2 Seo Bulk Updater for multilingual site not showing results when selecting All Levels (thanks danklassen)
- Fixed: Placing a Sticky “Top Navigation Bar” in Global “Navigation” using Atomik blocks editing of page
- Fixed: Topics Attribute Search Form is not getting translated on Frontend (thanks 1stthomas)
- Re-enabled the ability to edit a user’s avatar from their Dashboard details page.
- Fixed: Clipboard - Unable to remove broken clipboard entries/clipboard doesnt remove deleted blocks
- Fixed: When placing a stack, the edit mode menu is not displayed
- Fixed: Adding Options To Option List Page Attribute Undefined Array Key under PHP 8
- Fixed: Multilingual copy site tree with alias pages (thanks hissy)
- Fixed: v9 Elemental Block Edit Nav Tabs Broken (thanks ccmEnlil)
- Fixed: Error in updating package from marketplace incorrectly displaying itself under certain conditions (thanks JohnTheFish)
- Fixed: Accordion block editing interface rich text editor doesn’t have access to Concrete-specific features like file manager, sitemap, etc…
- Fixes ErrorException - Undefined property: Concrete\Core\Permission\Access\Entity\GroupCombinationEntity::$label under PHP 8 (thanks 1stthomas)
- Legacy form’s “reply to this email address” checked state was not properly passed (thanks katzueno)
- Fixed errors with the legacy form (thanks mlocati)
- Fixed: Updating an express form handle can result in a table name that is too long for mysql
- Fix several user search fields not retaining their selected values (thanks mnakalay)
- Fixed: install with Elemental full fails due to undefined array key “titleFormat” under PHP 8
- Fix YouTube block responsive size class issue (thanks katalysis)
- Fixed Marketplace dashboard page broken under PHP 8
- Conversation rating stars now appear properly (thanks deek87)
- Fixed inability to remove an entry from the trash when that entry is an alias to an external link (thanks Ruud-Zuiderlicht)
- Fixed bug where core “Parallax Image” area custom template (deprecated) now works again
…
Related news
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting.
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.