CVE-2021-22968

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 8.5.6 and below

Description A bypass in the Concrete CMS File Manager leads to remote code execution. The external file upload feature stages files in the public directory even if they have disallowed file extensions, storing them in a directory with a random name that can be brute-forced. An admin with file upload capabilities can exploit this to upload restricted file types and execute them, depending on server configuration.

Recommendations To fix this issue, update to Concrete CMS version 9.0.0 or later, which includes a check for allowed file extensions before downloading files to a tmp directory. As a temporary workaround, consider restricting access to the file upload feature to minimize the risk of exploitation.