CVE-2021-22967
First published: Fri Nov 19 2021(Updated: )
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <8.5.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2021-22967.
What is the severity of CVE-2021-22967?
The severity of CVE-2021-22967 is high with a severity value of 7.5.
What software versions are affected by CVE-2021-22967?
Concrete CMS (formerly concrete 5) versions below 8.5.7 are affected by CVE-2021-22967.
What is the description of CVE-2021-22967?
CVE-2021-22967 is an Insecure Direct Object Reference (IDOR) vulnerability in Concrete CMS that allows an unauthenticated user to access restricted files if allowed to add a message to a conversation.
How can CVE-2021-22967 be mitigated?
To mitigate CVE-2021-22967, a check has been added to verify that a user has the necessary permissions to view files before attaching them to a message in the 'add/edit message' functionality.
- collector/nvd-index
- vendor/concretecms
- canonical/concretecms concrete cms