Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-c3mj-8qzc-ckd8

Summary

Improper Privilege Management
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )"This fix is also in Concrete version 9.0.0

Aliases

alias	CVE-2021-22966

alias	GHSA-j4mv-2rv7-v2j9

Fixed_packages

url pkg:composer/concrete5/core@8.5.7

purl pkg:composer/concrete5/core@8.5.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-u4ys-wqfh-d3e7

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.7

Affected_packages

url pkg:composer/concrete5/core@8.2.0RC2

purl pkg:composer/concrete5/core@8.2.0RC2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.2.0RC2

url pkg:composer/concrete5/core@8.2.0

purl pkg:composer/concrete5/core@8.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.2.0

url pkg:composer/concrete5/core@8.2.1

purl pkg:composer/concrete5/core@8.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.2.1

url pkg:composer/concrete5/core@8.3.0

purl pkg:composer/concrete5/core@8.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.3.0

url pkg:composer/concrete5/core@8.3.1

purl pkg:composer/concrete5/core@8.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.3.1

url pkg:composer/concrete5/core@8.3.2

purl pkg:composer/concrete5/core@8.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.3.2

url pkg:composer/concrete5/core@8.4.0RC3

purl pkg:composer/concrete5/core@8.4.0RC3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.0RC3

url pkg:composer/concrete5/core@8.4.0RC4

purl pkg:composer/concrete5/core@8.4.0RC4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.0RC4

url pkg:composer/concrete5/core@8.4.0

purl pkg:composer/concrete5/core@8.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.0

url pkg:composer/concrete5/core@8.4.1

purl pkg:composer/concrete5/core@8.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.1

url pkg:composer/concrete5/core@8.4.2

purl pkg:composer/concrete5/core@8.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.2

url pkg:composer/concrete5/core@8.4.3

purl pkg:composer/concrete5/core@8.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.3

url pkg:composer/concrete5/core@8.4.4

purl pkg:composer/concrete5/core@8.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.4

url pkg:composer/concrete5/core@8.4.5

purl pkg:composer/concrete5/core@8.4.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.4.5

url pkg:composer/concrete5/core@8.5.0RC1

purl pkg:composer/concrete5/core@8.5.0RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.0RC1

url pkg:composer/concrete5/core@8.5.0RC2

purl pkg:composer/concrete5/core@8.5.0RC2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.0RC2

url pkg:composer/concrete5/core@8.5.0

purl pkg:composer/concrete5/core@8.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.0

url pkg:composer/concrete5/core@8.5.1

purl pkg:composer/concrete5/core@8.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.1

url pkg:composer/concrete5/core@8.5.2

purl pkg:composer/concrete5/core@8.5.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.2

url pkg:composer/concrete5/core@8.5.3

purl pkg:composer/concrete5/core@8.5.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.3

url pkg:composer/concrete5/core@8.5.4

purl pkg:composer/concrete5/core@8.5.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.4

url pkg:composer/concrete5/core@8.5.5

purl pkg:composer/concrete5/core@8.5.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.5

url pkg:composer/concrete5/core@8.5.6RC1

purl pkg:composer/concrete5/core@8.5.6RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.6RC1

url pkg:composer/concrete5/core@8.5.6

purl pkg:composer/concrete5/core@8.5.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y1d-66kt-g3dj

vulnerability	VCID-4mf1-2cfa-9qhe

vulnerability	VCID-6mt9-72w9-nba8

vulnerability	VCID-8rsq-c5jg-53cy

vulnerability	VCID-bx3d-22ya-jqh7

vulnerability	VCID-c3mj-8qzc-ckd8

vulnerability	VCID-u4ys-wqfh-d3e7

vulnerability	VCID-vata-s3cw-pqax

vulnerability	VCID-ycue-c4sz-cqgs

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/core@8.5.6

References

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22966

reference_id

reference_type

scores

value	0.00267
scoring_system	epss
scoring_elements	0.5034
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22966

reference_url

https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

reference_url

https://hackerone.com/reports/1362747

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1362747

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22966

reference_id

CVE-2021-22966

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22966

reference_url

https://github.com/advisories/GHSA-j4mv-2rv7-v2j9

reference_id

GHSA-j4mv-2rv7-v2j9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j4mv-2rv7-v2j9

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	269
name	Improper Privilege Management
description	The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c3mj-8qzc-ckd8

Vulnerability Instance