First published: Mon Nov 14 2022(Updated: )
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Concretecms Concrete Cms | <8.5.10 | |
Concretecms Concrete Cms | >=9.0.0<=9.1.2 | |
<8.5.10 | ||
>=9.0.0<=9.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this vulnerability is CVE-2022-43691.
CVE-2022-43691 has a severity rating of 5.3, which is considered medium.
The CVE-2022-43691 vulnerability affects Concrete CMS below version 8.5.10 and versions between 9.0.0 and 9.1.2.
The CVE-2022-43691 vulnerability inadvertently discloses server-side sensitive information, such as secrets in environment variables and server information, when Debug Mode is left on in production.
To fix the CVE-2022-43691 vulnerability, you should ensure that Debug Mode is turned off in production for Concrete CMS versions below 8.5.10 or between 9.0.0 and 9.1.2.