Incorrect Default Permissions
CVE-2023-48648
Summary
The pacakge Concrete CMS versions prior to 8.5.13 and 9.x prior to 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the "Mkdir()" function) gives universal access "(0777)" to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than "0755" or when the permissions argument is not specified.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- HIGH
- HIGH
CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
References
Advisory Timeline
- Published