An analysis report released today by the security company Edgescan shows that the content management system Concrete5 CMS contains a major vulnerability, which has been resolved by an updated version.
Guram Javakhishvili, senior information security consultant of Edgescan, disclosed that there is an RCE (remote code execution) security vulnerability in Concrete5, which can cause comprehensive damage to web applications and managed web servers after being exploited. "
Concrete5 is a free CMS system that can create websites and is famous for its ease of use. The main organizations using Concrete5 include GlobalSign, the US Army, REC and BASF.
Javakhishvili pointed out that RCE vulnerabilities are easy to exploit and can allow attackers to quickly gain full access to applications. During the security evaluation of this program, Edgescan found that it can modify the site configuration to upload PHP files and execute arbitrary commands. After adding, you can upload potentially malicious PHP code and execute system commands.
Through the "reverse shell" mechanism, an attacker can completely control the Web server, execute arbitrary commands on the server, and damage its integrity, availability, and confidentiality. In addition, the attacker can then attack other servers on the internal network.
Javakhishvili added that after investigation, Concrete 5 has now patched the vulnerability and released the latest stable version: 8.5.4.
Eoin Keary, CEO of Edgescan, said:
RCE may bring disaster to fragile web applications and web servers. In the Edgescan 2020 vulnerability statistics report, nearly 2% of vulnerabilities in the entire technology stack are attributed to RCE.
The survey reminds organizations to take regular actions to ensure the safety of their CMS systems. Edgescan recommended steps include keeping the installed script and CMS platform to the latest version, regularly backing up and subscribing to the regularly updated vulnerability list of CMS.
