Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2014-5107

concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php, or (16) files/search.php in single_pages/dashboard/.

Published

2014-07-28T15:55:04.273

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-200

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	concrete5	concrete5	5.5.0	Yes
Application	concrete5	concrete5	5.5.1	Yes
Application	concrete5	concrete5	5.5.2	Yes
Application	concrete5	concrete5	5.5.2.1	Yes
Application	concrete5	concrete5	5.6.0	Yes
Application	concrete5	concrete5	5.6.0.1	Yes
Application	concrete5	concrete5	5.6.0.2	Yes
Application	concretecms	concrete_cms	5.4.2	Yes
Application	concretecms	concrete_cms	5.4.2.1	Yes
Application	concretecms	concrete_cms	5.4.2.2	Yes
Application	concretecms	concrete_cms	5.6.1	Yes
Application	concretecms	concrete_cms	5.6.1.1	Yes
Application	concretecms	concrete_cms	5.6.1.2	Yes
Application	concretecms	concrete_cms	5.6.2	Yes
Application	concretecms	concrete_cms	5.6.2.1	Yes

References

http://osvdb.org/show/osvdb/109269 Broken Link ([email protected])
http://packetstormsecurity.com/files/127493/Concrete-5.6.2.1-REFERER-Cross-Site-Scripting.html Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/68685 Third Party Advisory, VDB Entry ([email protected])
https://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes Broken Link, Vendor Advisory ([email protected])
http://osvdb.org/show/osvdb/109269 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/127493/Concrete-5.6.2.1-REFERER-Cross-Site-Scripting.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/68685 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.concrete5.org/documentation/background/version_history/5-6-3-release-notes Broken Link, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)