Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1tNTN2LTV4NXgtNW0ycM4AAv4I

Moderate EPSS: 0.00353% (0.56919 Percentile) EPSS:
Permalink JSON

Concrete CMS vulnerable to Session Fixation

Affected Packages Affected Versions Fixed Versions
packagist:concrete5/concrete5 >= 9.0.0, < 9.1.3, < 8.5.10 9.1.3, 8.5.10
4 Dependent packages
7 Dependent repositories
2,293 Downloads total

Affected Version Ranges

All affected versions

8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2

All unaffected versions

8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.21, 8.5.99, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.4.0, 9.4.1, 9.4.2, 9.4.3

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

References:

Identifiers

GHSA-m53v-5x5x-5m2p

CVE-2022-43687

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00353

EPSS Percentile: 0.56919

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/concretecms/concretecms

Date and time

Published

almost 3 years ago

Updated

over 2 years ago

API

JSON