CVE-2021-36766

Name of the Vulnerable Software and Affected Versions Concrete5 versions 8.5.5 and earlier

Description The issue is related to the deserialization of untrusted data in the Concrete5 CMS system. The vulnerable code is located within the controllers/single page/dashboard/system/environment/logging.php file, specifically in the Logging::update logging() method. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file exists() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out various attacks, such as executing arbitrary PHP code.

Recommendations For Concrete5 versions 8.5.5 and earlier, consider disabling the Logging::update logging() method until a patch is available. Restrict access to the logFile request parameter to minimize the risk of exploitation. Avoid using the logFile parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.