Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Concrete CMS < 8.5.7 Multiple Vulnerabilities
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Concrete CMS is prone to multiple vulnerabilities.
Insight
Insight
The following vulnerabilities exist: - CVE-2021-22966: Privilege escalation from Editor to Admin using Groups - CVE-2021-40101: Admin users must now provide their password when changing another user's password from the Dashboard - CVE-2021-22968: A bypass of adding remote files in Concrete CMS File manager lead to remote code execution - CVE-2021-22951: Unauthorized individuals could view password protected files using view_inline - CVE-2021-22967: Insecure indirect object reference (IDOR), an unauthenticated user was able to access restricted files by attaching them to a message in a conversation - CVE-2021-22969: SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys - CVE-2021-22970: Concrete allowed local IP importing causing the system to be vulnerable to SSRF attacks on the private LAN servers and SSRF mitigation bypass through DNS rebinding
Affected Software
Affected Software
Concrete CMS versions prior to 8.5.7.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 8.5.7 or later.