Vulnerability in Concretecms Concrete_cms

CVE-2022-21829

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only…

EPSS: 0.017 (74.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

  • Concretecms Concrete_cms
  • N/a Https://github.com/concrete5/concrete5 — versions Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2

Weakness classification (CWE)

Public proof-of-concept exploits

References

Frequently asked questions

What is CVE-2022-21829?
CVE-2022-21829 is a critical-severity vulnerability in Concretecms Concrete_cms, classified under Cleartext Transmission of Sensitive Information. CVSS score: 9.8/10. Published 2022-06-24.
How severe is CVE-2022-21829?
Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2022-21829 known to be exploited?
1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.