Skip to main content

Channel Accessible by Non-Endpoint

CVE-2021-40099

Severity High
Score 7.2/10

Summary

An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • HIGH
  • HIGH
  • HIGH

CWE-300 - Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Advisory Timeline

  • Published