CVE-2017-8082
MEDIUMconcrete5 8.1.0 - Cross-Site Request Forgery in Thumbnail Editor
Title source: llmDescription
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators.
References (3)
Core 3
Core References
Exploit x_refsource_misc
https://drive.google.com/open?id=0B3vXUYdNMECWZTd3SFRnUjllWk0
Exploit, Third Party Advisory x_refsource_misc
http://zeroday.insecurity.zone/exploits/concrete5_csrf_dos.txt
Third Party Advisory x_refsource_misc
https://twitter.com/insecurity/status/856066923146215425
Scores
CVSS v3
6.5
EPSS
0.0120
EPSS Percentile
64.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-352
Status
published
Products (1)
concretecms/concrete_cms
8.1.0
Published
Apr 24, 2017
Tracked Since
Feb 18, 2026