CVE-2022-43690: 
PHP vulnerability analysis and mitigation

Concrete CMS (formerly concrete5) versions below 8.5.10 and between 9.0.0 and 9.1.2 contained a vulnerability related to legacy password authentication. The vulnerability (CVE-2022-43690) was discovered in October 2022 and was fixed with the release of versions 8.5.10+ and 9.1.3+ (Concrete Advisory).

The vulnerability stemmed from the improper implementation of comparison operations in the legacy_salt functionality, where non-strict comparison was used instead of strict comparison when testing against the legacy password algorithm. This could potentially lead to integer conversion issues. The vulnerability received a CVSS v3.1 score of 3.1 (Low) with the vector string AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (Concrete Advisory).

The vulnerability could potentially lead to a limited authentication bypass under very specific conditions. This would only be exploitable if: the system was used to compare integers instead of strings, the targeted user signed up when the site was running concrete5 ~v5.4, the user had not logged in since the site was updated above v5.4, and the password hash for the user was generated in a specific way to look like an integer (e.g., "0b1111111") (Concrete Advisory).

The vulnerability was addressed in Concrete CMS versions 8.5.10+ and 9.1.3+. The fix involved implementing strict comparison when testing against the legacy password algorithm. Users are advised to upgrade to these versions or later to remediate the vulnerability (Release Notes).

The vulnerability was discovered and reported by security researchers Bogdan and Adrian Tiron from FORTBRIDGE during their 2022 annual penetration testing and vulnerability assessment of Concrete CMS Hosting and the open source project (Concrete Advisory).