A few vulnerabilities here, inconsisently enforced permissions, server side request forgery with an extension blocklist, and password reset link poisoning.

Inconsistent Permissions

Within Concrete CMS they use a fairly flexible User Group permission setup, where groups can inherit privileged from their parent group. While the primary editor performed a permission check when moving a group to prevent an Editor in this case from moving the Editors group to be under the Administrators group. That same check was not done within the “Move Multiple Group” interface however. Allowing an editor to escalate their privileges.

Server-Side Request Forgery

This was pretty straightforward as it was by design; a feature to allow editors to download a file from a remote server and save it locally. It did block file extensions like .php. To get around that, they used a common trick of putting a /test.html after the .php (.../info.php/test.html). Under many setups this will get routed to the PHP file. They also used DNS rebinding to make a request to the instance metadata server.

Password Reset Link Poisoning

This is an attack that pops up from time to time. When making a request to the forgot password endpoint it’ll generate the URL for the password reset email. To do this it uses the Host header to determine what domain it should use in the link. So an attacker could change that header, but still direct their request to the server’s IP. The link it send to the victim will use the poisoned host. It does rely on them clicking the link to expose the token from their URL but its a fun attack to be aware of regardless.