First published: Fri Nov 17 2023(Updated: )
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
Affected Software | Affected Version | How to fix |
---|---|---|
composer/concrete5/concrete5 | >=9.0.0<9.2.2 | 9.2.2 |
composer/concrete5/concrete5 | <8.5.13 | 8.5.13 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is GHSA-m87h-jxr6-f82w.
The title of this vulnerability is 'Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions.'
Concrete CMS versions before 8.5.13 and 9.x before 9.2.2 are affected by this vulnerability.
Unauthorized access can be gained due to this vulnerability by creating directories with insecure permissions, granting excessive access.
The recommended remedy for this vulnerability is to update Concrete CMS to version 8.5.13 or 9.2.2, depending on the currently installed version.