CVE-2020-24986 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2020-24986?

CVE-2020-24986 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated attackers to upload PHP files through Concrete5's File Manager by modifying site configuration. Successful exploitation leads to remote code execution on the web server. All Concrete5 installations up to version 8.5.2 are affected.

📋 TL;DR

This vulnerability allows authenticated attackers to upload PHP files through Concrete5's File Manager by modifying site configuration. Successful exploitation leads to remote code execution on the web server. All Concrete5 installations up to version 8.5.2 are affected.

💻 Affected Systems

Products:

Concrete5 CMS

Versions: Up to and including 8.5.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to File Manager functionality

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware deployment, or use as attack platform

🟠

Likely Case

Webshell installation allowing persistent backdoor access and data exfiltration

🟢

If Mitigated

File upload blocked or PHP execution prevented in upload directories

🌐 Internet-Facing: HIGH - Web applications are directly accessible and attackers can exploit remotely

🏢 Internal Only: MEDIUM - Requires authenticated access but internal attackers could still exploit

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is straightforward once access is obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.3 and later

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/853-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete5 installation and database. 2. Download Concrete5 version 8.5.3 or later. 3. Replace all files with the new version. 4. Run the update script if prompted.

🔧 Temporary Workarounds

Restrict PHP execution in upload directories

all

Add .htaccess rules to prevent PHP execution in upload directories

Add to .htaccess in upload directories: <FilesMatch "\.php$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Implement file type validation

all

Add server-side validation to block PHP file uploads

🧯 If You Can't Patch

Restrict File Manager access to trusted administrators only
Implement web application firewall rules to block PHP file uploads

🔍 How to Verify

Check if Vulnerable:

Check Concrete5 version in admin dashboard or via /concrete/config/concrete.php

Check Version:

grep "APP_VERSION" /path/to/concrete/config/concrete.php

Verify Fix Applied:

Confirm version is 8.5.3 or higher and test PHP file upload is blocked

📡 Detection & Monitoring

Log Indicators:

PHP file uploads via File Manager
Configuration modification attempts
Unusual file creation in upload directories

Network Indicators:

POST requests with PHP file uploads to File Manager endpoints

SIEM Query:

source="web_logs" AND (uri_path="/index.php/dashboard/system/files/uploads" OR uri_path="/index.php/dashboard/files/search") AND (file_extension="php" OR file_type="application/x-php")

📊 Metadata

CVE ID: CVE-2020-24986

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: September 4, 2020

Last Updated: November 21, 2024

🔗 References

https://hackerone.com/reports/768322 Exploit,Third Party Advisory
https://hackerone.com/reports/768322 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24986, you might also want to check these: