CVE-2021-22967
Last modified
CVE-2021-22967 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H. EPSS estimates a 1.11% chance of exploitation in the next 30 days.
Description
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 8.5.7 |
References
- https://documentation.concretecms.org/developers/introduction/version-history/857-release-notesRelease Notes, Vendor Advisory
- https://hackerone.com/reports/869612Permissions Required
- https://documentation.concretecms.org/developers/introduction/version-history/857-release-notesRelease Notes, Vendor Advisory
- https://hackerone.com/reports/869612Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-22967?
How severe is CVE-2021-22967?
How do I fix CVE-2021-22967?
Are you affected by CVE-2021-22967?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST