CVE-2022-43691

Cleartext Transmission of Sensitive Information in packagist/concrete5/concrete5

Identifiers

GHSA-q3hq-hm5h-qrx3, CVE-2022-43691

Package Slug

packagist/concrete5/concrete5

Vulnerability

Cleartext Transmission of Sensitive Information

Description

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

Affected Versions

All versions before 8.5.10, all versions starting from 9.0.0 before 9.1.3

Solution

Upgrade to versions 8.5.10, 9.1.3 or above.

Last Modified

2022-11-22

source