Login Sign Up

CVE-2021-40104

7.5 HIGH
Cross-Site Scripting

📋 TL;DR

This CVE describes an SVG sanitizer bypass vulnerability in Concrete CMS that allows attackers to upload malicious SVG files containing JavaScript. This affects all Concrete CMS installations through version 8.5.5, potentially enabling cross-site scripting (XSS) attacks against users who view the uploaded SVG content.

💻 Affected Systems

Products:
  • Concrete CMS
Versions: through 8.5.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations with file upload functionality enabled, which is typically enabled by default.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.

🟠

Likely Case

Stored XSS attacks where malicious SVG files are uploaded and viewed by other users, leading to session hijacking or credential theft.

🟢

If Mitigated

If proper input validation and output encoding are implemented, the impact is limited to file upload functionality being abused.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires file upload privileges, which typically require at least contributor-level access. The HackerOne report demonstrates the bypass technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.6 and later

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS version 8.5.6 or later. 3. Verify the update completed successfully by checking the version in the dashboard.

🔧 Temporary Workarounds

Disable SVG file uploads

all

Temporarily disable SVG file uploads through Concrete CMS file manager settings

Implement web application firewall rules

all

Block SVG file uploads at the WAF level or implement content filtering

🧯 If You Can't Patch

  • Implement strict content security policy (CSP) headers to mitigate XSS impact
  • Monitor file upload logs for SVG file uploads and investigate suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Concrete CMS version in dashboard or via /concrete/config/app.php version constant

Check Version:

php -r "include 'concrete/config/app.php'; echo \$app->getPackageEntity()->getPackageVersion();"

Verify Fix Applied:

Verify version is 8.5.6 or later and test SVG upload functionality with malicious content

📡 Detection & Monitoring

Log Indicators:

  • SVG file uploads to Concrete CMS file manager
  • Unusual file upload patterns from user accounts

Network Indicators:

  • POST requests to file upload endpoints with SVG content
  • Base64 encoded SVG payloads in requests

SIEM Query:

source="concrete_cms_logs" AND (file_extension="svg" OR mime_type="image/svg+xml")

📊 Metadata

CVE ID: CVE-2021-40104
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: September 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON