We found results for “”
CVE-2021-40097
Good to know:
Date: September 27, 2021
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.
Language: PHP
Severity Score
Severity Score
Weakness Type (CWE)
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22Top Fix
Upgrade Version
Upgrade to version concrete5/concrete5 - dev-fix-redis-config;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/word-wrap-1.2.4;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/postcss-and-vue-loader-8.4.31;concrete5/concrete5 - 8.5.0RC2;concrete5/concrete5 - dev-feature/usable-welcome-page;concrete5/concrete5 - 9.0.0RC3;concrete5/concrete5 - dev-marketplace-migration;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/json5-1.0.2;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/async-2.6.4;concrete5/concrete5 - 8.5.x-dev;concrete5/concrete5 - dev-backport-9975;concrete5/concrete5 - 8.5.6RC1;concrete5/concrete5 - dev-allow-install-php-8.2;concrete5/concrete5 - dev-fix-master-to-develop-0915;concrete5/concrete5 - dev-dependabot/npm_and_yarn/build/lodash.template-and-download--removed;concrete5/concrete5 - dev-feature/composer-php8-support;concrete5/core - 8.5.1;concrete5/core - 9.0.0RC1;concrete5/core - 8.4.2;concrete5/core - 8.5.2;concrete5/core - 8.5.6RC1
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | HIGH |
| Integrity (I): | HIGH |
| Availability (A): | HIGH |
CVSS v2
| Base Score: |
|
|---|---|
| Access Vector (AV): | NETWORK |
| Access Complexity (AC): | LOW |
| Authentication (AU): | SINGLE |
| Confidentiality (C): | PARTIAL |
| Integrity (I): | PARTIAL |
| Availability (A): | PARTIAL |
| Additional information: |
Vulnerabilities
Projects
Contact Us


