{"id":"CVE-2017-18195","details":"An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.","modified":"2026-04-10T03:58:10.405399Z","published":"2018-02-26T17:29:00.227Z","references":[{"type":"ADVISORY","url":"https://github.com/concrete5/concrete5/releases/tag/8.3.0"},{"type":"FIX","url":"https://github.com/concrete5/concrete5/pull/6008/files"},{"type":"EVIDENCE","url":"https://github.com/r3naissance/NSE/blob/master/http-vuln-cve2017-18195.nse"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/44194/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/concretecms/concretecms","events":[{"introduced":"0"},{"fixed":"42e323aa14b5efdc3a75594bf02faec26ebb35cd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.3.0"}]}}],"versions":["5.7.0","5.7.0.1","5.7.0.3","5.7.0.4","5.7.1","5.7.2","5.7.2.1","5.7.3","5.7.3.1","5.7.4.1","5.7.5.2","5.7.5.5","5.7.5.6","5.7.5.7","8.1.0","8.2.0","8.2.0RC2","8.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-18195.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}