CVE-2022-50807 — Concrete5 CMS contains an XPath injection vulnerability

Description

Concrete5 CMS version 9.1.3 contains an XPath injection vulnerability that allows attackers to manipulate URL path parameters with malicious payloads. Attackers can flood the system with crafted requests to potentially extract internal content paths and system information.

How to fix CVE-2022-50807

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Packagist/concrete5/concrete5—no fix listed

Is CVE-2022-50807 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2022-50807.

Affected packages (1)

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-50807
PATCHgithub.com/concretecms/concretecms
WEBgithub.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
WEBwww.concretecms.org
WEB