Skip to main content

Incorrect Default Permissions

CVE-2023-48648

Severity High
Score 9.8/10

Summary

The pacakge Concrete CMS versions prior to 8.5.13 and 9.x prior to 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the "Mkdir()" function) gives universal access "(0777)" to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than "0755" or when the permissions argument is not specified.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-276 - Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

Advisory Timeline

  • Published