Concrete CMS allows unauthorized access because directories can be created with insecure permissions
Moderate severity
GitHub Reviewed
Published
Nov 17, 2023
to the GitHub Advisory Database
•
Updated Nov 17, 2023
Package
Affected versions
< 8.5.13
>= 9.0.0, < 9.2.2
Patched versions
8.5.13
9.2.2
Description
Published by the National Vulnerability Database
Nov 17, 2023
Published to the GitHub Advisory Database
Nov 17, 2023
Reviewed
Nov 17, 2023
Last updated
Nov 17, 2023
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
References