In the past several days, there have been a number of articles raising the alarm about content management systems which allow executable files to be uploaded by an administrator, who already has complete control over the website.
A vulnerability in concrete5 which permitted authenticated users to view the contents of arbitrary messages was reported on February 11, 2019. No information identifying individuals was exposed. A fix was added to the concrete5 repository on Monday, February 15, 2019 and mitigated on the concrete5.org website on Wednesday, February 20, 2019.
All concrete5 sites should update to versions 8.4.5 or 126.96.36.199. The concrete5.org website has been upgraded and messages are no longer vulnerable, and no evidence was found that suggests this vulnerability was exploited on the website.
The timeline and details around the reporting of a security issue with ProEvents...