VDB
KO
HIGH

GHSA-52pr-7vmf-2w7x

Concrete CMS is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components

Details

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that lack the allowed_classes restriction. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. The Concrete CMS security team thanks XananasX7 and Sanjorn Keeratirungsan (dizconnect) for both independently reporting this ssue.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / concrete5/concrete5
Introduced in: 0 Fixed in: 9.5.2
Fix composer require concrete5/concrete5:^9.5.2

References