Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tODdoLWp4cjYtZjgyd84AA3O-
Concrete CMS allows unauthorized access because directories can be created with insecure permissions
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
Permalink: https://github.com/advisories/GHSA-m87h-jxr6-f82wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tODdoLWp4cjYtZjgyd84AA3O-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-m87h-jxr6-f82w, CVE-2023-48648
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-48648
- https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes
- https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
- https://github.com/concretecms/concretecms/pull/11677
- https://github.com/concretecms/concretecms/commit/707b974826b761dda5c0baaf345c8582157d9307
- https://github.com/concretecms/concretecms/commit/eb882681a0ed19798a8f689d257af8dfe2f3a279
- https://github.com/advisories/GHSA-m87h-jxr6-f82w
Blast Radius: 0.0
Affected Packages
packagist:concrete5/concrete5
Dependent packages: 4Dependent repositories: 7
Downloads: 2,058 total
Affected Version Ranges: >= 9.0.0, < 9.2.2, < 8.5.13
Fixed in: 9.2.2, 8.5.13
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1
All unaffected versions: 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.99, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8