Lucene search
Veracode Vulnerability DatabaseVERACODE:4282HistoryMay 23, 2017 - 7:53 a.m.
HTML Injection
2017-05-2307:53:59
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
4
0.003 Low
EPSS
Percentile
66.0%
concrete5 is vulnerable to HTML injection. If there is no canonical URL defined during setup, a malicious user can initiate a GET request with any domain name in the HOST header, allowing for arbitrary domains to be set for certain links. It can also act as a potential vector for cross-site scripting (XSS) attacks.
| CPE | Name | Operator | Version |
|---|---|---|---|
| concrete5/concrete5 | le | 5.7.5.12 |
References
hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt
www.securityfocus.com/bid/97649
github.com/concrete5/concrete5/pull/4021
github.com/concrete5/concrete5/pull/4499
hackerone.com/reports/148300
packetstormsecurity.com/files/142145/concrete5-8.1.0-Host-Header-Injection.html
www.exploit-db.com/exploits/41885/
Related
exploitpack
exploitpack
Concrete5 CMS 8.1.0 - Host Header Injection
2017-04-14 00:00:00
osv
osv
Concrete CMS vulnerable to cross-site scripting (XSS)
2022-05-13 01:08:38
CVE-2017-7725
2017-04-13 17:59:00
nvd
nvd
CVE-2017-7725
2017-04-13 17:59:00
packetstorm
packetstorm
concrete5 8.1.0 Host Header Injection
2017-04-14 00:00:00
cve
cve
CVE-2017-7725
2017-04-13 17:59:00
prion
prion
Design/Logic Flaw
2017-04-13 17:59:00
cvelist
cvelist
CVE-2017-7725
2017-04-13 17:00:00
zdt
zdt
Concrete5 8.1.0 - Host Header Injection Vulnerability
2017-04-14 00:00:00
github
github
Concrete CMS vulnerable to cross-site scripting (XSS)
2022-05-13 01:08:38
exploitdb
exploitdb
Concrete5 CMS 8.1.0 - 'Host' Header Injection
2017-04-14 00:00:00
openvas
openvas
Concrete5 Header Injection and CSRF Vulnerability
2017-04-19 00:00:00