CVE-2023-28821
First published: Fri Apr 28 2023(Updated: )
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <9.1.0 | |
| composer/concrete5/concrete5 | <9.1.0 | 9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28821?
CVE-2023-28821 is a vulnerability in Concrete CMS (previously concrete5) before version 9.1 that allows for unlimited password reset attempts without rate limiting.
What is the severity of CVE-2023-28821?
CVE-2023-28821 has a severity rating of medium with a CVSS score of 5.3.
How does CVE-2023-28821 affect Concrete CMS?
CVE-2023-28821 affects Concrete CMS versions before 9.1 by not having a rate limit for password resets, making it vulnerable to unlimited password reset attempts.
How can I fix CVE-2023-28821?
To fix CVE-2023-28821, you should update Concrete CMS to version 9.1 or later, which includes the rate limit for password resets.
Where can I find more information about CVE-2023-28821?
You can find more information about CVE-2023-28821 on the Concrete CMS GitHub releases page and the Concrete CMS security advisory page
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-ph6g-6v8w-8p6m
- alias/CVE-2023-28821
- collector/nvd-cve
- collector/github-advisory
- vendor/concretecms
- canonical/concretecms concrete cms
- package-manager/composer