Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03dngyLTUzNDktcWo5Oc4AAwKW

Withdrawn: ConcreteCMS vulnerable to Xpath injection attacks

Withdrawn

This advisory has been withdrawn because it has been found not to be a security issue and withdrawn by its CNA. Please see the message from NVD here for more information. This link is maintained to preserve external references.

Original Description

ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder "3".

Permalink: https://github.com/advisories/GHSA-7vx2-5349-qj99
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03dngyLTUzNDktcWo5Oc4AAwKW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 10 months ago

Widthdrawn: 10 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-7vx2-5349-qj99, CVE-2022-46464
References: Repository: https://github.com/nu11secur1ty/CVE-nu11secur1ty

Affected Packages

packagist:concrete5/concrete5
Dependent packages: 4
Dependent repositories: 7
Downloads: 2,031 total
Affected Version Ranges: <= 9.1.3
No known fixed version
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.99, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2, 9.1.3