CVE-2014-5107

Name of the Vulnerable Software and Affected Versions concrete5 versions prior to 5.6.3

Description The issue allows remote attackers to obtain the installation path via a direct request to various API endpoints, including "system/basics/editor.php", "system/view.php", "system/environment/file storage locations.php", "system/mail/importers.php", "system/mail/method.php", "system/permissions/file types.php", "system/permissions/files.php", "system/permissions/tasks.php", "system/permissions/users.php", "system/seo/view.php", "view.php", "users/attributes.php", "scrapbook/view.php", "pages/attributes.php", "files/attributes.php", or "files/search.php" in single pages/dashboard/.

Recommendations For versions prior to 5.6.3, update to version 5.6.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the aforementioned API endpoints until a patch is available.