CVE-2022-30117

CVE-2022-30117

Vendor N/A
Product https://github.com/concrete5/concrete5
Weakness CWE-22 · Path traversal
Published June 24, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting.

Key dates

02Disclosure timeline

June 24, 2022 CVE published
August 3, 2024 Record updated