Security Advisory 2023-10-25 Concrete CMS rejects CVE-2023-44763
Please remember that anyone can, and should, report a security issue with Concrete CMS to the Concrete CMS HackerOne program. The Concrete CMS Team has a vulnerability remediation process externally validated as robust by external, accredited SOC 2 auditors. How to report security vulnerabilities is also outlined on the Concrete CMS Security page which clearly indicates that validating file uploads is not in scope of the Concrete CMS security program.
Concrete CMS Best Practices Configuration documentation instructs that uploaded files other than images should be set to text/plain. It also refers to the Allowed File Types documentation and Validating File Uploads documentation Allowable file types should be set to be the minimum necessary (dashboard/system/files/filetypes)
If a website owner is concerned about administrators uploading certain types of files:
- they can configure their Concrete site to reject any file type for upload by excluding it from the allowed file types, or
- if a website owner wants to prevent administrators from customizing the list of allowed file extensions, they can create a file named concrete.php in the application/config directory specifying which file types they would like to allow.
We are considering adding a check to the health report page to make failed / missing health reports more prominent. We will also consider disabling PDF upload by default to help less knowledgeable Concrete users.