Regarding the Composr CMS vulnerability

[Lovinity]

Hello, Patrick Schmalstig / PDStig here (a lead dev of Composr CMS).

You might have already seen this but in case you have not, Chris Graham explained why the reported CVE vulnerability for Composr CMS CVE-2021-46360 is not a vulnerability.

The full news article is here: Clarifying the nature of administrator accounts. In short:

1. An "Administrator" by Composr's standards is someone who should have full and complete access to the code. Therefore, it is not a vulnerability that an administrator can remove .htaccess files and upload PHP files; it's by design.
2. Composr tries not to rely on / require FTP and SSH for full functionality and harmony (e.g. it allows you to do anything and everything via a web interface), thus why admins have full code access.
3. Generally, only webmasters should have admin privileges.

[sartlabs]

Thanks for your mail however this is quite old now, i am surprised to see this mail after long time!

…

On Mon, Nov 20, 2023, 3:45 PM Lovinity ***@***.***> wrote: Hello, Patrick Schmalstig / PDStig here (a lead dev of Composr CMS). You might have already seen this but in case you have not, Chris Graham explained why the reported CVE vulnerability for Composr CMS CVE-2021-46360 <https://nvd.nist.gov/vuln/detail/CVE-2021-46360> is not a vulnerability. The full news article is here: Clarifying the nature of administrator accounts <https://compo.sr/news/view/security-issues/clarifying-the-nature.htm>. In short: 1. An "Administrator" by Composr's standards is someone who should have full and complete access to the code. Therefore, it is not a vulnerability that an administrator can remove .htaccess files and upload PHP files; it's by design. 2. Composr tries not to rely on / require FTP and SSH for full functionality and harmony (e.g. it allows you to do anything and everything via a web interface), thus why admins have full code access. 3. Generally, only webmasters should have admin privileges. — Reply to this email directly, view it on GitHub <#1>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/APLMZN2NZFBWYSYTWFBETFLYFMUS3AVCNFSM6AAAAAA7SU5YVOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGAYDCOBTG44DOOA> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Lovinity]

Hello,

Apologies for that. Both myself and the other Composr developer have largely been inactive from life circumstances for a while. I only now noticed the CVE was still active. And I was unsure if you knew about Chris' explanation since he posted on the Composr site, but I didn't see any postings elsewhere.