
We found results for “”
CVE-2021-40097
Good to know:

Date: September 27, 2021
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22Top Fix

Upgrade Version
Upgrade to version concrete5/concrete5 - dev-fix-redis-config;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/word-wrap-1.2.4;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/postcss-and-vue-loader-8.4.31;concrete5/concrete5 - 8.5.0RC2;concrete5/concrete5 - dev-feature/usable-welcome-page;concrete5/concrete5 - 9.0.0RC3;concrete5/concrete5 - dev-marketplace-migration;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/json5-1.0.2;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/async-2.6.4;concrete5/concrete5 - 8.5.x-dev;concrete5/concrete5 - dev-backport-9975;concrete5/concrete5 - 8.5.6RC1;concrete5/concrete5 - dev-allow-install-php-8.2;concrete5/concrete5 - dev-fix-master-to-develop-0915;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/lodash.template-and-download--removed;concrete5/concrete5 - dev-feature/composer-php8-support;concrete5/core - 8.5.1;concrete5/core - 9.0.0RC1;concrete5/core - 8.4.2;concrete5/core - 8.5.2;concrete5/core - 8.5.6RC1
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |
CVSS v2
Base Score: |
|
---|---|
Access Vector (AV): | NETWORK |
Access Complexity (AC): | LOW |
Authentication (AU): | SINGLE |
Confidentiality (C): | PARTIAL |
Integrity (I): | PARTIAL |
Availability (A): | PARTIAL |
Additional information: |