CVE-2021-22970

EPSS 0.39%

Server-Side Request Forgery in Concrete CMS

Published: 11/23/2021Modified: 12/2/2024

Description

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable to SSRF attacks on the private LAN to servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb.

Affected packages (1)

Packagist/concrete5/corefrom 0, < 8.5.7

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-22970
WEBhttps://documentation.concretecms.org/developers/introduction/version-history/857-release-notes
WEBhttps://documentation.concretecms.org/developers/introduction/version-history/901-release-notes
WEBhttps://hackerone.com/reports/1364797