CVE-2023-44763

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-44763
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44763.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-44763
Aliases
Published
2023-10-10T12:15:09.870Z
Modified
2026-04-10T05:04:17.952533Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.

References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type
GIT
Repo
https://github.com/concretecms/concretecms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9cb42f30dcbdc42210d20f72abcbd6c752197968
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.2.1"
        }
    ]
}

Affected versions

5.*
5.7.0
5.7.0.1
5.7.0.3
5.7.0.4
5.7.1
5.7.2
5.7.2.1
5.7.3
5.7.3.1
5.7.4.1
5.7.5.2
5.7.5.5
5.7.5.6
5.7.5.7
8.*
8.1.0
8.2.0
8.2.0RC2
8.2.1
8.3.1
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
9.*
9.0.0
9.0.1
9.0.2
9.1.0
9.1.1
9.1.2
9.2.0
9.2.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44763.json"