fkie_cve-2021-22966
Vulnerability from fkie_nvd
Published
2021-11-19 19:15
Modified
2024-11-21 05:51
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )"This fix is also in Concrete version 9.0.0
References
support@hackerone.comhttps://documentation.concretecms.org/developers/introduction/version-history/857-release-notesRelease Notes, Vendor Advisory
support@hackerone.comhttps://hackerone.com/reports/1362747Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://documentation.concretecms.org/developers/introduction/version-history/857-release-notesRelease Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://hackerone.com/reports/1362747Permissions Required
Impacted products
Vendor Product Version
concretecms concrete_cms *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B7FD65C-EFA6-40A6-9698-FFEDD4846EE1",
              "versionEndExcluding": "8.5.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted \"view\" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: \"Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )\"This fix is also in Concrete version 9.0.0"
    },
    {
      "lang": "es",
      "value": "Una escalada de privilegios de Editor a Administrador usando Grupos en Concrete CMS versiones 8.5.6 e inferiores. Si a un grupo le es concedido permisos \"view\" en la p\u00e1gina de bulkupdate, entonces usuarios de ese grupo pueden escalar a ser un administrador con un curl especialmente dise\u00f1ado. Ha sido corregido a\u00f1adiendo una comprobaci\u00f3n de los permisos de grupo antes de permitir que sea movido un grupo. Puntuaci\u00f3n CVSS del equipo de seguridad de CMS concreto: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: \"Adrian Tiron de FORTBRIDGE ( https://www.fortbridge.co.uk/ ) \"Esta correcci\u00f3n tambi\u00e9n est\u00e1 en Concrete versi\u00f3n 9.0.0"
    }
  ],
  "id": "CVE-2021-22966",
  "lastModified": "2024-11-21T05:51:02.250",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-19T19:15:08.327",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://hackerone.com/reports/1362747"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required"
      ],
      "url": "https://hackerone.com/reports/1362747"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.