First published: Fri Nov 17 2023(Updated: )
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
Credit: email@example.com firstname.lastname@example.org
|Affected Software||Affected Version||How to fix|
|Concretecms Concrete Cms||<8.5.13|
|Concretecms Concrete Cms||>=9.0<9.2.2|
The vulnerability ID for this vulnerability is CVE-2023-48648.
Concrete CMS versions before 8.5.13 and 9.x before 9.2.2 are affected by this vulnerability.
Unauthorized access can be achieved in Concrete CMS due to directories being created with insecure permissions.
The default access permission for created folders in Concrete CMS is 0777.
To fix the vulnerability, update Concrete CMS to version 8.5.13 or 9.2.2, depending on the installed version.