漏洞标题
N/A
漏洞描述信息
Concrete 8.5.7 及以上以及Concrete 9.0 至 9.0.2 允许在 /index.php/ccm/system/file/upload 中穿通,可能导致任意文件删除漏洞。通过净化 /index.php/ccm/system/file/upload 来确保Concrete 不允许穿通,并在输入不符合预期时更改 isFullChunkFilePresent 属性以早期返回假结果。Concrete CMS 安全团队将这个问题评估为 5.8,根据CVSS v3.1 向量。感谢 Siebene 的报告。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting.
CVSS信息
N/A
漏洞类别
对路径名的限制不恰当(路径遍历)
漏洞标题
PortlandLabs Concrete CMS 路径遍历漏洞
漏洞描述信息
PortlandLabs Concrete CMS是美国PortlandLabs公司的一个面向团队的开源内容管理系统。 PortlandLabs Concrete CMS 存在安全漏洞,该漏洞源于允许遍历 /index.php/ccm/system/file/upload,这可能导致任意文件删除漏洞,以下产品和版本受到影响:Concrete CMS 8.5.7及之前版本,Concrete CMS 9.0 到 9.0.2版本。
CVSS信息
N/A
漏洞类别
路径遍历