Open Redirect Affecting concrete5/concrete5 package, versions <8.5.6


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (25th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Open Redirect vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-CONCRETE5CONCRETE5-1726759
  • published27 Sept 2021
  • disclosed27 Sept 2021
  • creditUnknown

Introduced: 27 Sep 2021

CVE-2021-40109  (opens in a new tab)
CWE-601  (opens in a new tab)

How to fix?

Upgrade concrete5/concrete5 to version 8.5.6 or higher.

Overview

concrete5/concrete5 is a concrete5 open source CMS.

Affected versions of this package are vulnerable to Open Redirect. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded.

CVSS Scores

version 3.1