Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.
Conclusion & alert: CVE-2023-48648 is rated Moderate Risk (62.5/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.23%).Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Exploit prediction scoring system (EPSS) score for CVE-2023-48648
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
GHSA-m87h-jxr6-f82w · Severity: medium · Ecosystem: composer — Concrete CMS allows unauthorized access because directories can be created with insecure permissions
Affected software / configurations for CVE-2023-48648