One Hat Cyber Team
Your IP :
52.14.164.37
Server IP :
192.145.235.60
Server :
Linux ngx365.inmotionhosting.com 5.14.0-427.33.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 30 09:45:56 EDT 2024 x86_64
Server Software :
Apache
PHP Version :
8.2.27
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
var
/
softaculous
/
conc85
/
View File Name :
changelog.txt
8.5.18 Release Notes Bug Fixes Fixed bug where boolean page attributes that are checked by default show up as checked even if they have previously been saved unchecked (thanks hissy) Fixed some issues when attempting to use Redis to store session under certain conditions (thanks mlocati) Security Updates Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting HackerOne 2479824 Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing Board instance names on output with commit 12166 for version 9 and commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting HackerOne 2463288 Show a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this in HackerOne 2479824 8.5.17 Release Notes Behavioral Improvements Added notifications into the interface about the new marketplace coming in Concrete CMS 9.3.0. Bug Fixes Backported fix from Concrete CMS 9: CollectionSearchIndexAttributes table is updated without approving the page version (thanks hissy) 8.5.16 Release Notes Security Updates Created CVE-2024-2753 Stored XSS on the calendar color settings screen and fixed it with commit 11988 Prior to the fix, a rogue administrator could put malicious javascript on the Concrete CMS color setting screen which would have would have been triggered by and affected users who accessed the color settings screen. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N Thank you Rikuto Tauchi for reporting HackerOne 2433383. Created CVE-2024-3178 Cross-site Scripting (XSS) - Advanced File Search Filter and fixed it with commit 11988 for version 9 and commit 11989 for version 8. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Guram (javakhishvili) for reporting HackerOne 949443 Created CVE-2024-3179 Stored XSS in the Custom Class page editing and fixed it with commit 11988 for version 9 and commit 11989 for version 8. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. Concrete CMS version 9.2.8 and 8.5.13 no longer allow any non alphanumeric characters in this CSS class. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for reporting HackerOne 918129. Created and fixed [CVE-2024-3180] (https://nvd.nist.gov/vuln/detail/CVE-2024-3180) Prior to fix, stored XSS could be executed by a rogue administrator adding malicious code to the link-text field when creating a block of type file. Fixed with commit 11988 for version 9 and commit 11989 for version 8. The Concrete CMS security team gave this vulnerability a CVSS v3.1 sore of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L Thank you Alexey Solovyev for reporting HackerOne 903356 Created CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete Team fixed this with commit 11988 for version 9 and commit 11989 for version 8. Thank you Alexey Solovyev for reporting HackerOne 918142