9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30117

GHSA ID

GHSA-3jxh-6635-6jwp

EPSS Score

0.80938%

CWE

CWE-22

Published

6/25/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-30117

CVE-2022-30117: Path traversal in Concrete CMS

Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting.

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30117

GHSA ID

GHSA-3jxh-6635-6jwp

EPSS Score

0.80938%

CWE

CWE-22

Published

6/25/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
concrete5/core	composer	>= 9.0.0, < 9.1.0	9.1.0
concrete5/core	composer	< 8.5.8	8.5.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly mentions two remediation steps: (1) sanitizing the upload endpoint and (2) modifying isFullChunkFilePresent to enforce early validation. The isFullChunkFilePresent function is directly named in the advisory, making it a high-confidence target. The upload endpoint's controller method (likely named uploadAction) is inferred as vulnerable due to the path traversal vector and the explicit mention of endpoint sanitization. While the exact controller method name isn't provided, the pattern matches common MVC frameworks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *.*.* *n* **low *s w*ll *s *on*r*t* *.* t*rou** *.*.* *llow tr*v*rs*l in /in**x.p*p/**m/syst*m/*il*/uplo** w*i** *oul* r*sult in *n *r*itr*ry *il* **l*t* *xploit. T*is w*s r*m**i*t** *y s*nitizin* /in**x.p*p/**m/syst*m/*il*/uplo** to *nsur*

Reasoning

T** vuln*r**ility *xpli*itly m*ntions two r*m**i*tion st*ps: (*) s*nitizin* t** uplo** *n*point *n* (*) mo*i*yin* is*ull**unk*il*Pr*s*nt to *n*or** **rly v*li**tion. T** is*ull**unk*il*Pr*s*nt *un*tion is *ir**tly n*m** in t** **visory, m*kin* it * *

9.1

Basic Information

Concerned about an active attack path?

CVE-2022-30117: Path traversal in Concrete CMS

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI