CVE-2021-22968

Vulnerability

A bypass in the external file upload feature of Concrete CMS (versions 8.5.6 and below) allows administrators to upload files with disallowed extensions. The files are staged in a public directory with a randomly generated name, but the upload can be stalled and the directory name brute-forced, enabling access to files that may be executed depending on server configuration [1].

Exploitation

An attacker must have admin privileges with file upload capability. By stalling the upload process and brute-forcing the randomized directory name, the attacker can retrieve uploaded files with dangerous extensions (e.g., .php). The attacker can then access these files via the web server, potentially executing arbitrary code [1].

Impact

Successful exploitation allows remote code execution (RCE) with the privileges of the web server. The CVSS v3.1 score is 5.4 (AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N), indicating high integrity impact but no confidentiality impact and limited scope [1].

Mitigation

The issue is fixed in Concrete CMS versions 8.5.7 and 9.0.0. The fix adds a check for allowed file extensions before downloading files to a temporary directory. Users should upgrade to 8.5.7 or later. No workarounds are documented [1][2].