Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved.

Affected Packages

Packagist concrete5/core

Affected versions: 0 (fixed in 8.5.7)

Related CVEs

CVE-2021-22966

Key Information

GHSA ID

GHSA-j4mv-2rv7-v2j9

Published

November 23, 2021 6:18 PM

Last Modified

July 13, 2022 7:06 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

concrete5/core

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 2, 2025 6:46 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.