CVE-2022-30117

Name of the Vulnerable Software and Affected Versions Concrete versions 8.5.7 and below Concrete versions 9.0 through 9.0.2

Description The issue allows traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.

Recommendations For Concrete versions 8.5.7 and below, update to a version above 8.5.7 to resolve the issue. For Concrete versions 9.0 through 9.0.2, update to a version above 9.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the /index.php/ccm/system/file/upload endpoint until a patch is available. Restrict input to the isFullChunkFilePresent function to minimize the risk of exploitation.