Security News > 2020 > August > Vulnerability Allowing Full Server Takeover Found in Concrete5 CMS
A remote code execution vulnerability addressed recently in Concrete5 exposed numerous websites to attacks, Edgescan reports.
What Edgescan discovered was an RCE flaw in Concrete5 that could have allowed an attacker to inject a reverse shell into vulnerable web servers, thus taking full control of them.
The issue was identified in Concrete5 version 8.5.2, which essentially allowed an attacker to modify site configuration and upload a PHP file onto the server, thus gaining arbitrary command execution capabilities.
To mount an attack, an adversary would need administrative permissions to access the 'Allow File types' feature and include the PHP file type in the list of allowed extensions.
By exploiting the vulnerability, Edgescan says, an attacker "Would be able to take full control over the web server. By executing arbitrary commands on the server, an attacker could compromise the integrity, availability and confidentiality. And pivot onto other servers on the internal network."
News URL
Related news
- Critical JetBrains TeamCity On-Premises Flaws Could Lead to Server Takeovers (source)
- Researchers Detail Kubernetes Vulnerability That Enables Windows Node Takeover (source)
- AI framework vulnerability is being used to compromise enterprise servers (CVE-2023-48022) (source)
- New HTTP/2 Vulnerability Exposes Web Servers to DoS Attacks (source)
- A critical vulnerability in Delinea Secret Server allows auth bypass, admin access (source)