QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2022-21829

Back to search

CVE-2022-21829

Published: Jun 24, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.

VendorProductVersions

n/a

https://github.com/concrete5/concrete5

affected
Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2

Weaknesses (CWE)

CWE-319

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now