CVE-2021-22966

Vulnerability

In Concrete CMS versions 8.5.6 and below, a privilege escalation vulnerability exists in the Groups functionality on the bulkupdate page. If a group is granted "view" permissions on the bulkupdate page, users in that group can exploit the endpoint by sending a specially crafted curl request to escalate their privileges to administrator. The issue is fixed by adding a check for group permissions before allowing a group to be moved. The fix is included in Concrete CMS version 8.5.7 and version 9.0.0 [1][2].

Exploitation

An attacker must have an Editor-level account and be a member of a group that has been granted "view" permissions on the /dashboard/users/groups/bulk_update page. No additional write access is needed. The attacker then sends a specially crafted curl request to the bulk update endpoint, manipulating group membership or group attributes to elevate privileges [1][2]. User interaction is not required beyond the initial authenticated request.

Impact

Successful exploitation allows the attacker to escalate privileges from Editor to Administrator. This grants full control over the Concrete CMS instance, including the ability to modify site content, manage users, install packages, and change system configuration. The CIA impact is high: confidentiality, integrity, and availability are all compromised [1][2].

Mitigation

The vulnerability is fixed in Concrete CMS version 8.5.7, released on 2021-11-19, and also in version 9.0.0. Users should upgrade to 8.5.7 or later. There is no known workaround other than upgrading. No evidence of inclusion in CISA KEV was found in the provided references [1][2].