Vulnerability Description
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 8.5.13 |
Related Weaknesses (CWE)
References
- https://documentation.concretecms.org/developers/introduction/version-history/85Release Notes
- https://documentation.concretecms.org/developers/introduction/version-history/92Release Notes
- https://www.concretecms.org/about/project-news/security/2023-11-09-security-blogRelease NotesVendor Advisory
- https://documentation.concretecms.org/developers/introduction/version-history/85Release Notes
- https://documentation.concretecms.org/developers/introduction/version-history/92Release Notes
- https://www.concretecms.org/about/project-news/security/2023-11-09-security-blogRelease NotesVendor Advisory
FAQ
What is CVE-2023-48648?
CVE-2023-48648 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives un...
How severe is CVE-2023-48648?
CVE-2023-48648 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-48648?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.