Login Sign Up

CVE-2021-40098

9.8 CRITICAL
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability in Concrete CMS allows attackers to perform path traversal attacks through external forms, leading to remote code execution. It affects all Concrete CMS installations through version 8.5.5. Attackers can exploit this to take full control of affected systems.

💻 Affected Systems

Products:
  • Concrete CMS
Versions: All versions through 8.5.5
Operating Systems: All operating systems running Concrete CMS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations with external forms functionality enabled.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full administrative access, data theft, and potential lateral movement to other systems.

🟠

Likely Case

Remote code execution leading to website defacement, data exfiltration, or installation of backdoors/malware.

🟢

If Mitigated

Limited impact with proper network segmentation and web application firewalls blocking exploitation attempts.

🌐 Internet-Facing: HIGH - Web CMS systems are typically internet-facing and directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal CMS instances could be exploited by malicious insiders or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on HackerOne and require minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.6 and later

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Download Concrete CMS version 8.5.6 or later. 3. Replace all files with the new version. 4. Run any database update scripts if prompted.

🔧 Temporary Workarounds

Disable External Forms

all

Temporarily disable or restrict access to external forms functionality.

Web Application Firewall Rules

all

Implement WAF rules to block path traversal patterns and regex manipulation attempts.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the CMS from critical systems
  • Deploy a web application firewall with rules specifically blocking path traversal patterns

🔍 How to Verify

Check if Vulnerable:

Check Concrete CMS version in admin dashboard or via /concrete/config/app.php version parameter.

Check Version:

Check /concrete/config/app.php for 'version' parameter or use Concrete CMS admin dashboard.

Verify Fix Applied:

Confirm version is 8.5.6 or higher and test external forms functionality for path traversal.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns in web server logs
  • Requests containing '../' sequences or regex manipulation
  • External form submissions with suspicious parameters

Network Indicators:

  • HTTP requests with path traversal sequences to CMS endpoints
  • Unusual outbound connections from CMS server

SIEM Query:

web.url:*../* AND (web.url:*concrete* OR web.url:*cms*)

📊 Metadata

CVE ID: CVE-2021-40098
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: September 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40098, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)