sartlabs
commented
11 months ago Thanks for your mail however this is quite old now, i am surprised to see this mail after long time!
On Mon, Nov 20, 2023, 3:45 PM Lovinity @.***> wrote:
Hello, Patrick Schmalstig / PDStig here (a lead dev of Composr CMS).
You might have already seen this but in case you have not, Chris Graham explained why the reported CVE vulnerability for Composr CMS CVE-2021-46360 https://nvd.nist.gov/vuln/detail/CVE-2021-46360 is not a vulnerability.
The full news article is here: Clarifying the nature of administrator accounts https://compo.sr/news/view/security-issues/clarifying-the-nature.htm. In short:
- An "Administrator" by Composr's standards is someone who should have full and complete access to the code. Therefore, it is not a vulnerability that an administrator can remove .htaccess files and upload PHP files; it's by design.
- Composr tries not to rely on / require FTP and SSH for full functionality and harmony (e.g. it allows you to do anything and everything via a web interface), thus why admins have full code access.
- Generally, only webmasters should have admin privileges.
— Reply to this email directly, view it on GitHub https://github.com/sartlabs/0days/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/APLMZN2NZFBWYSYTWFBETFLYFMUS3AVCNFSM6AAAAAA7SU5YVOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGAYDCOBTG44DOOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Lovinity
Hello, Patrick Schmalstig / PDStig here (a lead dev of Composr CMS).
You might have already seen this but in case you have not, Chris Graham explained why the reported CVE vulnerability for Composr CMS CVE-2021-46360 is not a vulnerability.
The full news article is here: Clarifying the nature of administrator accounts. In short: