CVE-2021-22951

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 8.5.7 Concrete CMS version 8.5.6

Description Unauthorized individuals could view password protected files using view inline in Concrete CMS. The issue has been resolved by checking if a file has a password in view inline and not rendering the file if it does. For version 8.5.6, mitigations were put in place, including restricting file types for view inline to images only and putting a warning in the file manager to advise users.

Recommendations For versions prior to 8.5.7, update to version 8.5.7 or later to resolve the issue. For version 8.5.6, consider restricting file types for view inline to images only and put a warning in the file manager to advise users until a patch is available. As a temporary workaround, consider disabling the view inline function until a patch is available.