CVE-2021-22951

Vulnerability

In Concrete CMS (formerly concrete5) versions prior to 8.5.7, the view_inline endpoint did not check whether a file had a password set. This allowed unauthorized individuals to view password-protected files by directly invoking view_inline with the file ID. The flaw exists in all versions before 8.5.7; version 8.5.6 introduced partial mitigations (restricting file types to images only and adding a warning in the file manager) [1][2].

Exploitation

An attacker needs no authentication or special network position; they only need to know or guess the file ID of a password-protected file. The attacker sends a request to the view_inline handler with that file ID. No user interaction or race condition is required [1].

Impact

Successful exploitation results in the disclosure of the contents of password-protected files. The confidentiality impact is low (CVSS 5.3, AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) because the attacker only gains read access to files that were intended to be protected by a password [1].

Mitigation

The fix is included in Concrete CMS version 8.5.7, released November 2021. The fix adds a check in view_inline: if the file has a password, the file is not rendered. The same fix is also present in Concrete CMS version 9.0.0. For version 8.5.6, two mitigations were applied: restricting view_inline to image file types only and placing a warning in the file manager. Users should upgrade to 8.5.7 or later [1][2].