CVE-2017-8082 — MEDIUM (6.5)

Vulnerability Description

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Concretecms	Concrete Cms	8.1.0

Related Weaknesses (CWE)

CWE-352

References

http://zeroday.insecurity.zone/exploits/concrete5_csrf_dos.txtExploitThird Party Advisory
https://drive.google.com/open?id=0B3vXUYdNMECWZTd3SFRnUjllWk0Exploit
https://twitter.com/insecurity/status/856066923146215425Third Party Advisory
http://zeroday.insecurity.zone/exploits/concrete5_csrf_dos.txtExploitThird Party Advisory
https://drive.google.com/open?id=0B3vXUYdNMECWZTd3SFRnUjllWk0Exploit
https://twitter.com/insecurity/status/856066923146215425Third Party Advisory

FAQ

What is CVE-2017-8082?

CVE-2017-8082 is a vulnerability with a CVSS score of 6.5 (MEDIUM). concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving t...

How severe is CVE-2017-8082?

CVE-2017-8082 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-8082?

Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.