CVE-2021-22968: 
PHP vulnerability analysis and mitigation

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS versions 8.5.6 and below. The vulnerability (CVE-2021-22968) was discovered in the file upload functionality where external files could be staged in the public directory even with disallowed file extensions. While files were stored in randomly named directories, it was possible to stall uploads and brute force the directory name (Release Notes).

The vulnerability exists in the File Manager component where the external file upload feature stages files in the public directory regardless of file extension restrictions. Although files are stored in directories with random names, attackers could potentially stall uploads and brute force the directory names to gain access. The vulnerability received a CVSS v3.1 base score of 5.4 (AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N) from the Concrete CMS Security Team (Release Notes).

The vulnerability allows an authenticated admin user with file upload privileges to bypass file extension restrictions and potentially execute malicious code on the server, depending on server configuration. This could lead to remote code execution and compromise of the affected system (Release Notes).

The vulnerability was fixed in Concrete CMS version 8.5.7 and is also included in version 9.0.0. The fix adds a check for allowed file extensions before downloading files to a temporary directory. Users should upgrade to version 8.5.7 or later to address this vulnerability (Release Notes).