PT-2020-15877 · Concrete5 · Concrete5

Published

2020-09-04

Updated

2021-11-01

CVE-2020-24986

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Concrete5 versions up to and including 8.5.2

Description The issue allows for the unrestricted upload of files with dangerous types, such as .php files, via the File Manager. This can be achieved by modifying the site configuration to upload the PHP file, which can then be used to execute arbitrary commands.

Recommendations For Concrete5 versions up to and including 8.5.2, update to a version that restricts the upload of dangerous file types or modify the site configuration to prevent such uploads. As a temporary workaround, consider restricting access to the File Manager to minimize the risk of exploitation.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2020-24986

Affected Products

Concrete5

PT-2020-15877 · Concrete5 · Concrete5

CVE-2020-24986

Weakness Enumeration

Related Identifiers

Affected Products

References · 4