CVE-2021-22967

Vulnerability

In Concrete CMS (formerly concrete5) versions below 8.5.7, an Insecure Direct Object Reference (IDOR) vulnerability exists in the conversation message feature. When a user is allowed to add a message to a conversation, the application does not verify that the user has permission to view files before attaching them to the message. This allows an unauthenticated user to access restricted files if they can add a message to a conversation [1].

Exploitation

An attacker who is able to add a message to a conversation (e.g., through a public conversation or by being granted that ability) can attach files that they should not have access to. The attacker can then view or download those files by exploiting the missing permission check. No authentication is required beyond the ability to add a message [1].

Impact

Successful exploitation leads to unauthorized disclosure of restricted files. The confidentiality of files stored in the file manager is compromised. The CVSS v3.1 score is 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating low confidentiality impact with no integrity or availability impact [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 8.5.7. Users should upgrade to 8.5.7 or later. The fix adds a permission check to verify that the user has permission to view files before attaching them to a message in the "add / edit message" functionality [1][2]. No workarounds are documented.