CVE-2023-48648: 
PHP vulnerability analysis and mitigation

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified (Concrete Release Notes, NVD).

The vulnerability is tracked as CVE-2023-48648 and has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue stems from incorrect default permissions (CWE-276) where file creation functions automatically set universal access (0777) permissions on newly created directories (NVD).

The vulnerability could allow unauthorized access to directories and their contents due to overly permissive directory permissions. This could potentially lead to information disclosure, unauthorized file access, and system compromise (Vendor Advisory).

The vulnerability has been fixed in Concrete CMS versions 8.5.13 and 9.2.2. Users should upgrade to these or later versions. The fix ensures proper directory permissions are set when creating new folders (Release Notes).

The Concrete CMS Security team scored this vulnerability as 6.6 (Medium) with CVSS v3 vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability was reported by tahabiyikli-vortex through the HackerOne program (Vendor Advisory).