CVE-2021-40102

CRITICAL

Concretecms Concrete Cms < 8.5.5 - Insecure Deserialization

Title source: rule

Description

An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).

References (2)

[Release Notes, Vendor Advisory] https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/921288

Scores

CVSS v3 9.1

EPSS 0.0068

EPSS Percentile 71.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

concretecms/concrete_cms < 8.5.5

Timeline

Published Sep 24, 2021

Tracked Since Feb 18, 2026