CVE-2023-48648

Опубликовано: 17 нояб. 2023

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.

Ссылки

https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes
Release Notes
https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes
Release Notes
https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
Release Notes
Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes
Release Notes
https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes
Release Notes
https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
Release Notes
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия до 8.5.13 (исключая)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия от 9.0 (включая) до 9.2.2 (исключая)

EPSS

Процентиль: 72%

0.00729

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-276

Связанные уязвимости

GHSA-m87h-jxr6-f82w

github

около 2 лет назад

Concrete CMS allows unauthorized access because directories can be created with insecure permissions