Login Sign Up

CVE-2021-40101

7.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated users in Concrete CMS to change their own or potentially other users' passwords without providing the current password. This affects all Concrete CMS installations before version 8.5.7 where users have access to the Dashboard interface.

💻 Affected Systems

Products:
  • Concrete CMS
Versions: All versions before 8.5.7
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the Dashboard interface. The vulnerability exists in the password change functionality.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with authenticated access could change administrator passwords, take over the CMS, and potentially compromise the entire web application and underlying server.

🟠

Likely Case

Malicious users or compromised accounts could change passwords to maintain persistent access, escalate privileges, or lock out legitimate users.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to unauthorized password changes that can be detected and reversed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is trivial once authenticated. The HackerOne report demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.7

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS version 8.5.7 or later. 3. Verify the update completed successfully. 4. Test password change functionality to confirm current password is now required.

🔧 Temporary Workarounds

Disable user password changes

all

Temporarily disable password change functionality for non-administrative users

Implement additional authentication

all

Add two-factor authentication or additional verification for password changes

🧯 If You Can't Patch

  • Implement strict access controls to limit Dashboard access to trusted users only
  • Monitor authentication logs for unusual password change activities

🔍 How to Verify

Check if Vulnerable:

Attempt to change a user password via Dashboard without providing current password. If successful, system is vulnerable.

Check Version:

Check Concrete CMS version in admin panel or via concrete/bin/concrete5 c5:version

Verify Fix Applied:

After updating, attempt password change without current password should fail with appropriate error message.

📡 Detection & Monitoring

Log Indicators:

  • Multiple password change events for same user
  • Password changes without current password verification
  • Unusual password reset patterns

Network Indicators:

  • POST requests to password change endpoints without current password parameter

SIEM Query:

source="concrete_cms" AND (event="password_change" OR event="user_update") AND NOT current_password_present

📊 Metadata

CVE ID: CVE-2021-40101
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-732
Published: November 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40101, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)