GHSA-q48r-xg9h-78m8

Source

https://github.com/advisories/GHSA-q48r-xg9h-78m8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-q48r-xg9h-78m8/GHSA-q48r-xg9h-78m8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q48r-xg9h-78m8

Aliases

CVE-2022-43689

Published

2022-11-15T12:00:16Z

Modified

2023-11-08T04:10:45.297111Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Concrete CMS vulnerable to XML External Entity

Details

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

Database specific

{
    "nvd_published_at": "2022-11-14T23:15:00Z",
    "github_reviewed_at": "2022-11-22T00:12:47Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611"
    ]
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.10

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.1.2

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1