GHSA-7vx2-5349-qj99

Suggest an improvement
Source
https://github.com/advisories/GHSA-7vx2-5349-qj99
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-7vx2-5349-qj99/GHSA-7vx2-5349-qj99.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7vx2-5349-qj99
Withdrawn
2023-06-06T18:32:24Z
Published
2022-12-06T00:30:16Z
Modified
2024-02-16T08:20:22.023173Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Withdrawn: ConcreteCMS vulnerable to Xpath injection attacks
Details

Withdrawn

This advisory has been withdrawn because it has been found not to be a security issue and withdrawn by its CNA. Please see the message from NVD here for more information. This link is maintained to preserve external references.

Original Description

ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder "3".

Database specific
{
    "github_reviewed_at": "2022-12-06T15:35:16Z",
    "cwe_ids": [
        "CWE-91"
    ],
    "nvd_published_at": "2022-12-05T23:15:00Z",
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

Packagist / concrete5/concrete5

Package

Name
concrete5/concrete5
Purl
pkg:composer/concrete5/concrete5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
9.1.3

Affected versions

8.*

8.0
8.0.1
8.0.2
8.0.3
8.1.0
8.2.0RC2
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.4.0RC3
8.4.0RC4
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0RC1
8.5.0RC2
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6RC1
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.99

9.*

9.0.0RC1
9.0.0RC3
9.0.0RC4
9.0.0
9.0.1
9.0.2
9.1.0
9.1.1
9.1.2
9.1.3