Vulnerability in Concretecms Concrete_cms
CVE-2022-21829
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only…
EPSS: 0.017 (74.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Concretecms Concrete_cms
- N/a Https://github.com/concrete5/concrete5 — versions Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- support@hackerone.com (x_refsource_MISC, Release Notes, Vendor Advisory)
- support@hackerone.com (x_refsource_MISC)
- support@hackerone.com (x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-21829?
- CVE-2022-21829 is a critical-severity vulnerability in Concretecms Concrete_cms, classified under Cleartext Transmission of Sensitive Information. CVSS score: 9.8/10. Published 2022-06-24.
- How severe is CVE-2022-21829?
- Critical severity. CVSS v3 base score is 9.8 out of 10.
- Is CVE-2022-21829 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.