CVE-2023-48648

EPSS 0.73%
Veröffentlicht 17.11.2023 04:15:07
Zuletzt bearbeitet 21.11.2024 08:32:10
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Concretecms ≫ Concrete Cms Version < 8.5.13

Concretecms ≫ Concrete Cms Version >= 9.0 < 9.2.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.73%	0.723

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release

Vendor Advisory

Release Notes

https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes

Release Notes

https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-48648

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-48648

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-48648

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-48648