CVE-2021-40097

Source
https://cve.org/CVERecord?id=CVE-2021-40097
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40097.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-40097
Published
2021-09-27T12:15:07.960Z
Modified
2026-07-09T00:36:47.695843Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.

References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type
GIT
Repo
https://github.com/concretecms/concretecms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.5.5"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

5.*
5.7.0
5.7.0.1
5.7.0.3
5.7.0.4
5.7.1
5.7.2
5.7.2.1
5.7.3
5.7.3.1
5.7.4.1
5.7.5.2
5.7.5.5
5.7.5.6
5.7.5.7
8.*
8.1.0
8.2.0
8.2.0RC2
8.2.1
8.3.1
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-40097.json"