If it is a valid vulnerability, the team can make sure there’s a fix available before the vulnerability is disclosed to the public. That makes the internet safer for all! If it is not a valid finding, the reporter can learn more about the system, the public is not alarmed unnecessarily, and everyone can save time.
Security Advisory 2023-10-31 Concrete CMS rejects CVE-2023-44760 and CVE-2023-44766
We have opened an issue on the reporter’s github repository to advise the individual of our security program, and recommend responsible disclosure for any future findings.
Concrete CMS has a security program at https://hackerone.com/concretecms. We implore everyone to please use that method to report suspected security issues! We are always open to having conversations with security researchers about Concrete CMS.
We have become aware that there are other Concrete CMS CVEs which were not initiated by the Concrete CMS Team. We will do a full audit and bring each through our Vulnerability Management Process. Stay tuned for a blog in the near future.
The good news is that this has spurred us to jumpstart the process for the Concrete CMS Project to become a certificate naming authority (CNA) for CVEs for Concrete CMS. This will help ensure that the Concrete CMS team can address vulnerabilities before they are disseminated to the public.