concrete5/concrete5 is vulnerable to server-side request forgery. The vulnerability exists through the local IP importing in ‘file.php’ which allows an attacker to read the files from private local LAN servers and exploit the local network apps.
documentation.concretecms.org/developers/introduction/version-history/857-release-notes
documentation.concretecms.org/developers/introduction/version-history/901-release-notes
github.com/advisories/GHSA-gqpw-9q54-9x28
github.com/concrete5/concrete5-core/commit/505c8d2ebcb04f53e45a29e67cfc354c13481967
github.com/concrete5/concrete5/commit/d34e7cb107b101296192bfe792e3c2f9ad2d94ea#diff-235cffb7c4c99fba627d9b5c63e7ad49258dae65d34c3c9dd6e087bb9a84cceeR419
github.com/concrete5/concrete5/pull/9975
hackerone.com/reports/1364797