CVE-2022-43691

Published: Nov 14, 2022Modified: Apr 30, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

Affected (2)

Products: Concretecms: Concrete Cms

Concretecms

1 product

Concrete Cms

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Concretecms Concrete Cms	Before 8.5.10
Concretecms Concrete Cms	From 9.0.0 to 9.1.2

Related CWEs

CWE-319

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References (10)

https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

Source: cve@mitre.org

Release NotesVendor Advisory

https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/concretecms/concretecms/releases/8.5.10

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/concretecms/concretecms/releases/9.1.3

Source: cve@mitre.org

Release NotesVendor Advisory

https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

Source: cve@mitre.org

Vendor Advisory

https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes