CVE-2021-22970

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 8.5.6 and below Concrete CMS version 9.0.0

Description The issue allows local IP importing, making the system vulnerable to SSRF attacks on private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network apps. This also involves SSRF Mitigation Bypass through DNS Rebinding.

Recommendations For Concrete CMS versions 8.5.6 and below, update to a version above 8.5.6 to mitigate the risk. For Concrete CMS version 9.0.0, consider disabling local IP importing until a patch is available. As a temporary workaround, restrict access to the local LAN to minimize the risk of exploitation.