Security

The following CVEs affecting both version 9 below 9.3.4 and all other concrete versions below 8.5.19 have been sent to MITRE to publish:

Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security and https://hackerone.com/concretecms?type=team so that they can be triaged and remediated by the Concrete Team!

We will be publishing a number of CVEs today which were remediated with Concrete CMS versions 8.5.16 and 9.2.8. 

The Concrete CMS Team is publishing CVE-2024-2179 with the release of 9.2.7; Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. 

On February 7th, 2024, we received a bug report that the rich text editor in Concrete CMS 8 and 9 was displaying a strange and alarming warning:

https://github.com/concretecms/concretecms/issues/11931

This warning states "This CKEditor 4.22.1 (Standard) version is not secure. Consider upgrading to the latest one, 4.24.0-lts."

Naturally, this has prompted concern and confusion from our customers and members in our community, and I feel it's important to address it. Here's what I know about this, what caused it, what it's regarding specifically, our plans to address it and how we're planning to move forward.

We will be  publishing three CVEs for very low vulnerabilities that were reported and fixed in Concrete version 9.2.5. These vulnerabilities affected Concrete version 9 only. 

Concrete CMS has just been authorized by the CVE Program as a CVE Numbering Authority (CNA). Concrete CMS will be managing Concrete CMS CVEs created as of today going forward for supported versions of Concrete CMS.

Concrete CMS, like any software, is not immune to vulnerabilities. We are pleased to announce that we are sharing our tracker for the Disclosed Common Vulnerabilities and Exposures (CVEs) affecting supported versions of Concrete CMS. The information provided is based on the data available as of today, Dec 15, 2023. Our intention is to keep the list up to date with every Concrete CMS release.

We are excited to announce the release of Concrete version 9.2.3, as well as an update for Concrete CMS version 8.5, now at version 8.5.14. These releases come with a number of security updates, reinforcing our commitment to the security and reliability of Concrete CMS.

Actions to take to mitigate CVE-2023-37260 affecting a Concrete CMS dependency