CVE-2021-40102

Severity CVSS v4.0:
Pending analysis
Type:
CWE-502 Deserialization of Untrusted Dat
Publication date:
24/09/2021
Last modified:
30/09/2021

Description

An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:* 8.5.5 (including)