Yjkofzuso Art

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.4.8 **Description** Concrete CMS is susceptible to Remote Code Execution due to stored PHP object injection within the Express Entry List block, specifically through the `columns` parameter. An authenticated administrator can store malicious serialized data in block configuration fields. This data is subsequently processed by the `unserialize()` function without adequate class restrictions or integrity checks, allowing for potential code execution. The issue involves stored deserialization, which can lead to Remote Code Execution (RCE). **Recommendations** Versions prior to 9.4.8 should be updated to version 9.4.8 or later.