GSA_kwCzR0hTQS02eGM0LTdmbW0tNjVxMs4AAs-a

High EPSS: 0.00884% (0.74676 Percentile) EPSS:

Permalink JSON

Code injection in concrete CMS

Affected Packages	Affected Versions	Fixed Versions
packagist:concrete5/core	< 8.5.8, >= 9.0.0, < 9.1.0	8.5.8, 9.1.0
37 Dependent packages 56 Dependent repositories 152,747 Downloads total Affected Version Ranges All affected versions 8.2.0, 8.2.0RC2, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.0RC3, 8.4.0RC4, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.0RC1, 8.5.0RC2, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.6RC1, 8.5.7, 9.0.0, 9.0.0RC1, 9.0.0RC3, 9.0.0RC4, 9.0.1, 9.0.2 All unaffected versions 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.21, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.0RC2, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.4.0, 9.4.0RC1, 9.4.0RC2, 9.4.1, 9.4.2, 9.4.3, 9.4.4, 9.4.5, 9.4.6

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520.

References:

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS02eGM0LTdmbW0tNjVxMs4AAs-a

Code injection in concrete CMS

Affected Version Ranges

All affected versions

All unaffected versions

Identifiers

Risk

Severity

EPSS

Classification

Source

Origin

Date and time

Published

Updated

API