Skip to main content

Cleartext Transmission of Sensitive Information

CVE-2022-21829

Severity High
Score 9.8/10

Summary

Concrete CMS Versions through 8.5.7 and through 9.0.2 can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ or 'concrete5_secure' instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-319 - Cleartext Transmission of Sensitive Information

The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Advisory Timeline

  • Published