2023-11-09 Security Blog about updated CVEs and new releases

2023-11-09 Security Blog about updated CVEs and new releases

Nov 9, 2023
by lisan

There have been a number of medium and low security vulnerabilities that have been fixed in version 9.2.2. Also, as part of our commitment to extend support to Concrete CMS version 8.5 through 2024, we have backported a large number of security fixes into Concrete 8.5.13. We are also updating a number of published Concrete CVEs to clarify that they do not apply to version 8.5. [updated 21 Nov 2023 to provide CVE numbers]

Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security and https://hackerone.com/concretecms?type=team so that they can be triaged and remediated by the Concrete Team!

Fixes in both Releases 9.2.2 and 8.5.13

The following security fixes were put in place for both Concrete 9.2.2 and 8.5.13. We have obtained two new Concrete CMS CVEs to advise the community of validated weaknesses in previous versions. 

  • We updated to Guzzle 6.5.8 (for Concrete 8.5.13) and to Guzzle 7.8 (for Concrete 9.2.2) to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197. Thank you Danilo Costa for reporting H1 2132287!
  • We are issuing a CVE  because directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 (Medium) with CVSS v3 vector [AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H] Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix. [update 21 Nov 2023 - CVE-2023-48648 has been issued]
  • We are issuing a CVE  ​​​​​​since stored XSS on the Concrete Admin page was possible due to unsanitized uploaded file names. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector [AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N] Thanks @akbar_jafarli for reporting H1 2149479. [update 21 Nov 2023 - CVE-2023-48649 has been issued]

We remediated the following two CVEs that were not created by the Concrete CMS Team. We implore the community to report vulnerabilities to the Core Team so that they can be remediated before being advertised. This helps keep Concrete safer for all. 

  • CVE-2023-44761  so that Concrete Admins cannot add XSS via Data Objects. 
  • CVE-2023-44765 so Concrete Admins cannot add Stored XSS Associations (via Data Objects)

CVEs Not Applicable to Concrete 8.5 

The following CVEs only affect Concrete Versions 9.0 to 9.13. We are communicating with MITRE to have them updated to clearly identify that they do not affect version 8.5 and below. . 

  • CVE-2023-28471 since Concrete versions below 9 do not use containers.
  • CVE-2023-28474 since the vulnerability was introduced in version 9. 
  • CVE-2023-28475 since the file details page does not exist in the Concrete Dashboard below version 9.0.0

Fixes in Release 8.5.13

In addition to better sanitization of Plural handles and Custom labels in Express objects, the following CVEs were fixed for the Concrete 8.5 version. We are working with MITRE to have update the CVEs to reflect the applicable versions. Prior to these fixes, the Concrete 8.5 version was vulnerable to:

CVE-2023-28477 stored XSS on API Integrations via the name parameter. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. The Concrete CMS Security team scored this 5.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N Thanks again Veshraj Ghimire for reporting H1 1753684 and providing the original fix.

CVE-2023-28475 reflected XSS on the Reply form because msgID was not sanitized in the 8.5 version. The Concrete CMS Team ranked this 4.2 (medium) With CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N] Thanks again Bogdan Tiron for the discovery. 

CVE-2023-28819 stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. The Concrete CMS Security team scored this 3.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. Thanks again solov9ev for reporting H1 1472270.

CVE-2023-28472 not having a way to set Secure and HTTP only attributes for ccmPoll cookies. We updated the Survey Block Controller. We added support for the concrete.session.cookie.cookie_secure value to the ccmPoll cookie (which developers can set to true if they want to use secure cookies. The Concrete CMS Security team scored this 3.4 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

CVE-2023-28473 possible Auth bypass in the jobs section. The Concrete CMS Security team scored this 2.2 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N Thanks again Adrian Tiron from Fortbridge for reporting H1 1772230.