vendor:
concrete5
by:
SecurityFocus
7,5
CVSS
HIGH
Information Disclosure, SQL Injection and Cross-Site Scripting
79, 89, 99
CWE
Product Name: concrete5
Affected Version From: concrete5 5.5.2.1
Affected Version To: concrete5 5.5.2.1
Patch Exists: YES
Related CWE: N/A
CPE: a:concrete5:concrete5
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2012
concrete5 Information Disclosure, SQL Injection and Cross-Site Scripting Vulnerabilities
concrete5 is prone to information-disclosure, SQL-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to harvest sensitive information, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site.
Mitigation:
Input validation should be used to ensure that untrusted data is not used to execute unintended commands or access data that is not intended to be accessed. It is also important to keep all software components up to date, as patches are frequently released to address security vulnerabilities.
