CVE-2021-22968

{"id": "CVE-2021-22968", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2021-11-19T19:15:08.437", "references": [{"url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "tags": ["Release Notes", "Vendor Advisory"], "source": "support@hackerone.com"}, {"url": "https://hackerone.com/reports/1350444", "tags": ["Exploit", "Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-330"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-98"}]}], "descriptions": [{"lang": "en", "value": "A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0"}, {"lang": "es", "value": "Un bypass en la adici\u00f3n de archivos remotos en el Administrador de Archivos de Concrete CMS (anteriormente concrete5) conlleva a una ejecuci\u00f3n de c\u00f3digo remota en Concrete CMS (concrete5) versiones 8.5.6 y anteriores. La funcionalidad external file upload escenifica archivos en el directorio p\u00fablico incluso si presentan extensiones de archivo no permitidas. Son almacenadas en un directorio con un nombre aleatorio, pero es posible detener las subidas y forzar el nombre del directorio. Debe ser un administrador con la capacidad de subir archivos, pero este bug le da la capacidad de subir los tipos de archivos restringidos y ejecutarlos en funci\u00f3n de la configuraci\u00f3n del servidor.Para solucionar esto, fue a\u00f1adida una comprobaci\u00f3n de las extensiones de archivo permitidas antes de descargar los archivos a un directorio tmp.Concrete CMS Security Team dio a esto una puntuaci\u00f3n CVSS v3.1 de 5,4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NT Esta correcci\u00f3n tambi\u00e9n est\u00e1 en Concrete versi\u00f3n 9.0.0"}], "lastModified": "2023-06-30T18:07:44.217", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B7FD65C-EFA6-40A6-9698-FFEDD4846EE1", "versionEndExcluding": "8.5.7"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}