Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.Credit for discovery: "Solar Security Research Team"Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NThis fix is also in Concrete version 9.0.0
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Link | Tags |
---|---|
https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes | release notes vendor advisory |
https://hackerone.com/reports/1102014 | third party advisory permissions required |