CVE-2023-48648

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:32

Type Values Removed Values Added
References () https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes - Release Notes () https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes - Release Notes
References () https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes - Release Notes () https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes - Release Notes
References () https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release - Release Notes, Vendor Advisory () https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release - Release Notes, Vendor Advisory

22 Nov 2023, 00:06

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-17 04:15

Updated : 2024-11-21 08:32


NVD link : CVE-2023-48648

Mitre link : CVE-2023-48648

CVE.ORG link : CVE-2023-48648


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-276

Incorrect Default Permissions