Concrete5 CMS Advisory – Multiple Vulnerabilities

Application : Concrete 5
Versions Affected: < 5.4
Exploit : Multiple SQL Injections and XSS
Threat Level: Potentially high
Fix: Update not available
Credit: Ryan Dewhurst
External Website:

What does it mean, do I have to do anything, if so what?

Multiple SQL injection and cross site scripting vulnerabilities have been discovered. Only a few have been disclosed but Concrete where informed during September but have not issued updates yet.  Keep checking the website for updates and apply them asap.

What happens if I leave it?

A malicious user can only insert data, therefore there is a possibility of the MySQL partition becoming full which would in turn crash MySQL and possibly the server.

This entry was posted in Web Security. Bookmark the permalink.

Comments are closed.