Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:32
Type | Values Removed | Values Added |
---|---|---|
References | () https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes - Release Notes | |
References | () https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes - Release Notes | |
References | () https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release - Release Notes, Vendor Advisory |
22 Nov 2023, 00:06
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-17 04:15
Updated : 2024-11-21 08:32
NVD link : CVE-2023-48648
Mitre link : CVE-2023-48648
CVE.ORG link : CVE-2023-48648
JSON object : View
Products Affected
concretecms
- concrete_cms
CWE
CWE-276
Incorrect Default Permissions