CVE-2021-22966

Published: Nov 19, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )"This fix is also in Concrete version 9.0.0

Vendor	Product	Versions
n/a	https://github.com/concrete5/concrete5	affected `Fixed in version 9 and in version 8.5.7`

References

https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

x_refsource_MISC

https://hackerone.com/reports/1362747

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-22966

Description

Affected Products

References