CVE-2021-22951: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in Concrete CMS (previously concrete5) prior to version 8.5.7 that allowed unauthorized individuals to view password-protected files using the view_inline feature. The vulnerability was identified and reported by the Solar Security Research Team, and was assigned CVE-2021-22951. The issue affected all versions of Concrete CMS up to version 8.5.7, including the software's previous name concrete5 (Release Notes, NVD).

The vulnerability stems from improper validation in the view_inline feature, which failed to check if a file was password-protected before rendering it. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that it can be exploited over the network with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (NVD).

The vulnerability allows unauthorized users to access password-protected files through the view_inline feature, potentially exposing sensitive information that was intended to be restricted. The impact is limited to information disclosure without affecting system integrity or availability (Release Notes).

The vulnerability was patched in Concrete CMS version 8.5.7 and is also fixed in version 9.0.0. For version 8.5.6, temporary mitigations were implemented including restricting file types for view_inline to images only and adding a warning in the file manager to advise users. The permanent fix involves checking if a file has a password in view_inline and preventing the file from being rendered if it is password-protected (Release Notes).