CVE-2021-22966
First published: Fri Nov 19 2021(Updated: )
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )"This fix is also in Concrete version 9.0.0
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <8.5.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this privilege escalation vulnerability?
The vulnerability ID is CVE-2021-22966.
What is the severity rating of CVE-2021-22966?
The severity rating of CVE-2021-22966 is 8.8 (high).
Which version of Concrete CMS is affected by CVE-2021-22966?
Concrete CMS versions 8.5.6 and below are affected by CVE-2021-22966.
How can an attacker exploit CVE-2021-22966 to escalate privileges?
An attacker can exploit CVE-2021-22966 by being part of a group granted 'view' permissions on the bulkupdate page and then using a specially crafted curl command to escalate their privileges to administrator.
Has CVE-2021-22966 been fixed?
Yes, CVE-2021-22966 has been fixed in Concrete CMS version 8.5.7.
- collector/nvd-index
- vendor/concretecms
- canonical/concretecms concrete cms