CVE-2023-28472

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
concretecmsconcrete_cms
𝑥
< 9.2.0
𝑥
= Vulnerable software versions
References
https://concretecms.com
https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20
https://concretecms.com
https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20