Security

Concrete CMS, like any software, is not immune to vulnerabilities. We are pleased to announce that we are sharing our tracker for the Disclosed Common Vulnerabilities and Exposures (CVEs) affecting supported versions of Concrete CMS. The information provided is based on the data available as of today, Dec 15, 2023. Our intention is to keep the list up to date with every Concrete CMS release.

We are excited to announce the release of Concrete version 9.2.3, as well as an update for Concrete CMS version 8.5, now at version 8.5.14. These releases come with a number of security updates, reinforcing our commitment to the security and reliability of Concrete CMS.

Actions to take to mitigate CVE-2023-37260 affecting a Concrete CMS dependency

There have been a number of medium and low security vulnerabilities that have been fixed in version 9.2.2. Also, as part of our commitment to extend support to Concrete CMS version 8.5 through 2024, we have backported a large number of security fixes into Concrete 8.5.13. We are also updating a number of published Concrete CVEs to clarify that they do not apply to version 8.5. [updated 21 Nov 2023 to provide CVE numbers]

If it is a valid vulnerability, the team can make sure there’s a fix available before the vulnerability is disclosed to the public. That makes the internet safer for all! If it is not a valid finding, the reporter can learn more about the system, the public is not alarmed unnecessarily, and everyone can save time.  

Concrete CMS is requesting that MITRE close CVE-2023-44763 which was submitted by a community member without the Concrete CMS Team knowledge. 

It recently came to our attention that the NIST misunderstood the likelihood and impact of a vulnerability that PortlandLabs, the founders and maintainers of the open source project Concrete CMS reported recently.

There have been a number of medium and low security vulnerabilities that have been fixed in version 9 through 9.2. Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security so that they can be triaged and remediated!

Fortbridge, an independent external penetration testing firm, has just concluded the 2022 annual penetration testing and vulnerability assessment of Concrete CMS Hosting as well as the open source project. If you host sites or intranets on Concrete CMS Hosting, we would be happy to provide you with a copy of the report upon request. 

We recently announced that Concrete v8 will be end of life late 2022, but that doesn’t have to mean you won’t be able to run a Concrete v8 site beyond New Year's. 

[Update 14 Nov 2023 - Concrete v8 will have extended security maintenance through 2024]