CVE-2021-40097
HIGHConcrete CMS < 8.5.5 - Authenticated Path Traversal and Remote Code Execution via bFilename Parameter
Title source: llmDescription
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.
References (2)
Core 2
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1102067
Release Notes, Vendor Advisory x_refsource_misc
https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes
Scores
CVSS v3
8.8
EPSS
0.0243
EPSS Percentile
82.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
concretecms/concrete_cms
< 8.5.5
Published
Sep 27, 2021
Tracked Since
Feb 18, 2026