CVE-2021-40109: SSRF
First published: Mon Sep 27 2021(Updated: )
A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <8.5.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this SSRF issue?
The vulnerability ID for this SSRF issue is CVE-2021-40109.
What is the severity of CVE-2021-40109?
CVE-2021-40109 has a severity rating of 6.4, which is considered medium.
What is the affected software for CVE-2021-40109?
The affected software for CVE-2021-40109 is Concrete CMS versions up to 8.5.5.
How can users exploit CVE-2021-40109?
Users with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type, resulting in unauthorized access to forbidden files on their local network.
Is there a fix available for CVE-2021-40109?
Yes, Concrete CMS version 8.5.6 includes a fix for CVE-2021-40109. It is recommended to update to this version or later to mitigate the vulnerability.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- vendor/concretecms
- canonical/concretecms concrete cms