Reset

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions through 8.5.5 **Description** An issue in Concrete CMS allows for arbitrary file deletion via PHAR deserialization in the `is dir` function, which is associated with PHP Object Injection and the ` wakeup` magic method. **Recommendations** For versions through 8.5.5, consider disabling the `is dir` function or restricting its use until a patch is available to prevent PHP Object Injection associated with the ` wakeup` magic method. At the moment, there is no information about a newer version that contains a fix for this vulnerability.