CVE-2021-40109

Name of the Vulnerable Software and Affected Versions Concrete CMS versions through 8.5.5

Description A Server-Side Request Forgery (SSRF) issue allows users to access forbidden files on their local network. Users with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type, and the redirect is followed, loading the contents of the file from the redirected-to server. This enables the upload of files of disallowed types.

Recommendations For Concrete CMS versions through 8.5.5, update to a version later than 8.5.5 to resolve the issue. As a temporary workaround, consider restricting the ability to upload files from external sites to minimize the risk of exploitation.