Main Vulnerability Database Vulnerabilities #VU46308

#VU46308 Security restricitons bypass in concrete5 - CVE-2020-24986

Published: September 7, 2020

Vulnerability identifier: #VU46308

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-24986

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
concrete5

Software vendor:
PortlandLabs

Description

The vulnerability allows a remote user to execute arbitrary PHP code.

The vulnerability exists due to application allows Concrete5 administrators to allow uploading of .php files to the server via File Manager. Once PHP files are allowed, a remote unprivileged user can upload and execute arbitrary PHP file on the system.

Remediation

Install updates from vendor's website.

External links

https://hackerone.com/reports/768322

#VU46308 Security restricitons bypass in concrete5 - CVE-2020-24986

Description

Remediation

External links

Please verify you're human