Cleartext Transmission of Sensitive Information
CVE-2022-21829
Summary
Concrete CMS Versions through 8.5.7 and through 9.0.2 can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ or 'concrete5_secure' instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-319 - Cleartext Transmission of Sensitive Information
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
References
Advisory Timeline
- Published