CVE-2023-48648

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 8.5.13 Concrete CMS versions 9.x prior to 9.2.2

Description The issue allows unauthorized access due to directories being created with insecure permissions. File creation functions, such as the Mkdir() function, give universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.

Recommendations For versions prior to 8.5.13, update to version 8.5.13 or later to resolve the issue. For versions 9.x prior to 9.2.2, update to version 9.2.2 or later to resolve the issue. As a temporary workaround, consider setting the permissions argument to 0755 or less when creating directories using the Mkdir() function to minimize the risk of exploitation.