CVE-2023-48648
First published: Fri Nov 17 2023(Updated: )
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/concrete5/concrete5 | >=9.0.0<9.2.2 | 9.2.2 |
| composer/concrete5/concrete5 | <8.5.13 | 8.5.13 |
| Concretecms Concrete Cms | <8.5.13 | |
| Concretecms Concrete Cms | >=9.0<9.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
- https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes
- https://nvd.nist.gov/vuln/detail/CVE-2023-48648
- https://github.com/concretecms/concretecms/pull/11677
- https://github.com/concretecms/concretecms/commit/707b974826b761dda5c0baaf345c8582157d9307
- https://github.com/concretecms/concretecms/commit/eb882681a0ed19798a8f689d257af8dfe2f3a279
- https://github.com/advisories/GHSA-m87h-jxr6-f82w (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2023-48648.
What versions of Concrete CMS are affected by this vulnerability?
Concrete CMS versions before 8.5.13 and 9.x before 9.2.2 are affected by this vulnerability.
How can unauthorized access be achieved in Concrete CMS?
Unauthorized access can be achieved in Concrete CMS due to directories being created with insecure permissions.
What is the default access permission for created folders in Concrete CMS?
The default access permission for created folders in Concrete CMS is 0777.
How can the vulnerability be fixed in Concrete CMS?
To fix the vulnerability, update Concrete CMS to version 8.5.13 or 9.2.2, depending on the installed version.
- collector/mitre-cve
- collector/github-advisory-latest
- alias/GHSA-m87h-jxr6-f82w
- alias/CVE-2023-48648
- collector/nvd-api
- collector/nvd-cve
- collector/github-advisory
- package-manager/composer
- vendor/concretecms
- canonical/concretecms concrete cms
- version/concretecms concrete cms/9.0