This security advisory describes one low risk vulnerability.
Exploit availability: NoDescription
The vulnerability allows a remote user to execute arbitrary PHP code.
The vulnerability exists due to application allows Concrete5 administrators to allow uploading of .php files to the server via File Manager. Once PHP files are allowed, a remote unprivileged user can upload and execute arbitrary PHP file on the system.Mitigation
Install updates from vendor's website.Vulnerable software versions
concrete5: 8.0, 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2CPE
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.