CVE-2021-22968

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0
Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

21 Nov 2024, 05:51

Type Values Removed Values Added
References () https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes - Release Notes, Vendor Advisory () https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes - Release Notes, Vendor Advisory
References () https://hackerone.com/reports/1350444 - Exploit, Third Party Advisory () https://hackerone.com/reports/1350444 - Exploit, Third Party Advisory

30 Jun 2023, 18:07

Type Values Removed Values Added
CWE NVD-CWE-Other CWE-434
CWE-330

23 Nov 2021, 13:33

Type Values Removed Values Added
CWE NVD-CWE-Other
CVSS v2 : unknown
v3 : unknown
v2 : 6.5
v3 : 7.2
References (MISC) https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes - (MISC) https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes - Release Notes, Vendor Advisory
References (MISC) https://hackerone.com/reports/1350444 - (MISC) https://hackerone.com/reports/1350444 - Exploit, Third Party Advisory
CPE cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

19 Nov 2021, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-11-19 19:15

Updated : 2024-11-21 05:51


NVD link : CVE-2021-22968

Mitre link : CVE-2021-22968

CVE.ORG link : CVE-2021-22968


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-330

Use of Insufficiently Random Values

CWE-434

Unrestricted Upload of File with Dangerous Type