CVE-2021-22967: Authorization Bypass Through User-Controlled Key

November 23, 2021 (updated November 24, 2021)

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in “add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H

References

documentation.concretecms.org/developers/introduction/version-history/857-release-notes
github.com/advisories/GHSA-m2v2-8227-59f5
hackerone.com/reports/869612
nvd.nist.gov/vuln/detail/CVE-2021-22967

Code Behaviors & Features

Detect and mitigate CVE-2021-22967 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →