CVE-2021-22967

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 8.5.7

Description The issue allows an unauthenticated user to access restricted files if they are allowed to add a message to a conversation. This is due to an Insecure Direct Object Reference (IDOR) vulnerability. To remediate this, a check was added to verify that a user has permissions to view files before attaching them to a message in the "add / edit message" functionality.

Recommendations For versions prior to 8.5.7, update to version 8.5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "add / edit message" functionality to minimize the risk of exploitation. Additionally, ensure that users have the appropriate permissions to view files before allowing them to attach files to messages.