Lucene search

Veracode Vulnerability DatabaseVERACODE:38015

HistoryNov 16, 2022 - 4:33 a.m.

Denial Of Service (DoS)

2022-11-1604:33:14

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

concrete cms

dos

vulnerability

controller.php

user-supplied input

forever cookie

attacker

0.001 Low

EPSS

Percentile

51.0%

JSON

Concrete CMS is vulnerable to denial of service.The vulnerability exists in multiple functions of controller.php due to insufficient validation of user-supplied input within the forever cookie which allows an attacker to crash the application via malicious input.

CPENameOperatorVersion
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2
concrete5/corele8.5.9
concrete5/corele9.1.2

Name	Operator	Version
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/advisories/GHSA-3cxx-3f53-m92c

github.com/concretecms/concretecms-core/commit/36239e6698282ce3f631e67e60b3687e6d235823

github.com/concretecms/concretecms-core/commit/80fd7d2d9573d3810d2326a0e0aa692fa1b4b14e

github.com/concretecms/concretecms/commit/605a5e82f0164e3d333ef6a43660e30e3362065e

github.com/concretecms/concretecms/commit/80f5d78f58761b6ba7b61b9e1d24711c5bb8bbda

github.com/concretecms/concretecms/pull/10977

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

0.001 Low

EPSS

Percentile

51.0%

JSON

Related for VERACODE:38015