Lucene search
Veracode Vulnerability DatabaseVERACODE:33089HistoryNov 24, 2021 - 4:29 p.m.
Server-Side Request Forgery (SSRF)
2021-11-2416:29:47
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
4
0.001 Low
EPSS
Percentile
32.2%
concrete5/concrete5 is vulnerable to server-side request forgery (SSRF). The vulnerability exists in file.php because the server doesn’t specify the validated IPs when downloading files which allows an attacker to access cloud and download files from the local network.
References
documentation.concretecms.org/developers/introduction/version-history/857-release-notes
github.com/advisories/GHSA-mcxr-fx5f-96qq
github.com/concrete5/concrete5-core/commit/505c8d2ebcb04f53e45a29e67cfc354c13481967
github.com/concrete5/concrete5/commit/d22102d46aafd0e60d6dfc750d8e3ddaf40f2633
github.com/concrete5/concrete5/pull/9975
hackerone.com/reports/1369312
Related
nvd
nvd
CVE-2021-22969
2021-11-19 19:15:08
cvelist
cvelist
CVE-2021-22969
2021-11-19 18:08:30
osv
osv
Server-Side Request Forgery in Concrete CMS
2021-11-23 18:18:35
github
github
Server-Side Request Forgery in Concrete CMS
2021-11-23 18:18:35
prion
prion
Design/Logic Flaw
2021-11-19 19:15:00
cve
cve
CVE-2021-22969
2021-11-19 19:15:08
cnvd
cnvd
PortlandLabs Concrete Cms Code Issue Vulnerability (CNVD-2021-94042)
2021-11-23 00:00:00
hackerone
hackerone
Concrete CMS: SSRF mitigation bypass using DNS Rebind attack
2021-10-13 13:27:58
openvas
openvas
Concrete CMS < 8.5.7 Multiple Vulnerabilities
2021-11-22 00:00:00