3 matches found
CVE-2021-36766
Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/singlepage/dashboard/system/environment/logging.php Logging::updatelogging method. User input passed through the logFile request parameter is not properly sanitized before being used in a ca...
Concrete5 <= 8.5.5 Phar Deserialization Vulnerability
Concrete5 is prone to a deserialization vulnerability. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:concretecms:concretecms"; ...
CVE-2021-36766
Concrete5 (CMS) up to version 8.5.5 is affected by CVE-2021-36766 due to insecure handling of user input in Logging::update_logging(). The logFile parameter is not sanitized before passing to file_exists(), enabling PHP Object Injection via the phar:// stream wrapper and potentially arbitrary PHP...