Vulnerabilities > CVE-2021-40109 - Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

concretecms

CWE-918

NVD

Published: 2021-09-27

Updated: 2021-09-30

Summary

A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded.

Vulnerable Configurations

Part	Description	Count
Application	Concretecms Concretecms Concrete CMS 5.4.2 Concretecms Concrete CMS 5.4.2.1 Concretecms Concrete CMS 5.6.1 Concretecms Concrete CMS 5.6.1.1 Concretecms Concrete CMS 5.6.1.2 Concretecms Concrete CMS 5.6.2 Concretecms Concrete CMS 5.6.2.1 Concretecms Concrete CMS 5.6.3 Concretecms Concrete CMS 5.6.3.1 Concretecms Concrete CMS 5.6.3.3 Concretecms Concrete CMS 5.6.3.4 Concretecms Concrete CMS 5.6.3.5 Concretecms Concrete CMS 5.6.4.0 Concretecms Concrete CMS 5.7.0 Concretecms Concrete CMS 5.7.0.1 Concretecms Concrete CMS 5.7.0.3 Concretecms Concrete CMS 5.7.0.4 Concretecms Concrete CMS 5.7.1 Concretecms Concrete CMS 5.7.2 Concretecms Concrete CMS 5.7.2.1 Concretecms Concrete CMS 5.7.3 Concretecms Concrete CMS 5.7.3.1	22

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References