Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0
CVSS Information
N/A
Vulnerability Type
PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)
Vulnerability Title
PortlandLabs Concrete CMS 代码问题漏洞
Vulnerability Description
PortlandLabs Concrete CMS是美国PortlandLabs公司的一个面向团队的开源内容管理系统。 PortlandLabs Concrete CMS 存在代码问题漏洞,该漏洞源于在Concrete CMS(以前的concrete5)文件管理器中添加远程文件会导致在Concrete CMS (concrete5) 8.5.6及以下版本中执行远程代码。
CVSS Information
N/A
Vulnerability Type
N/A