GHSA-g3p2-hfqr-9m25

Source

https://github.com/advisories/GHSA-g3p2-hfqr-9m25

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-g3p2-hfqr-9m25/GHSA-g3p2-hfqr-9m25.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g3p2-hfqr-9m25

Aliases

CVE-2021-22968

Published

2021-11-23T17:54:26Z

Modified

2024-02-16T08:19:28.762421Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper file handling in concrete5/core

Details

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below. The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration. To fix this, a check for allowed file extensions was added before downloading files to a tmp directory

Database specific

{
    "nvd_published_at": "2021-11-19T19:15:00Z",
    "cwe_ids": [
        "CWE-330",
        "CWE-98"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-22T19:41:50Z"
}

References

Affected packages

Packagist / concrete5/core

Package

Name: concrete5/core
Purl: pkg:composer/concrete5/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.7

Affected versions

8.*

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6