Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 5.3 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks 0x4c616e for reporting.
AnalysisAI
Concrete CMS versions below 9.5.0 expose authenticated users to two related privilege-abuse primitives via a mass assignment flaw: password replacement without the current password, and disabling per-user IP-pinning that guards against session hijacking. The user-profile edit controller forwards the entire raw POST body to UserInfo::update() with no field whitelist, allowing any registered user to inject arbitrary model attributes - including the password field and session-security settings - into their own profile update. No public exploit code has been identified at time of analysis, but the attack is low-complexity and network-accessible for any authenticated user.
Technical ContextAI
The root cause is CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes, colloquially known as a mass assignment vulnerability. The affected component is the user-profile edit controller in Concrete CMS (CPE: cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*), which hydrates a UserInfo model by passing PHP's raw $_POST superglobal directly to UserInfo::update(). Without an explicit allowlist of writable fields, any model attribute whose name matches a POST key can be overwritten. Two exploitable consequences follow: (1) the 'password' field can be set to an arbitrary value without supplying the existing credential, bypassing the standard re-authentication gate for password changes; (2) the per-user IP-pinning flag in the session validator - a control designed to detect cookie theft - can be toggled off, weakening session-hijacking protections post-authentication. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) confirms network delivery, low complexity, and no additional targeting conditions beyond holding a low-privilege account.
RemediationAI
Upgrade to Concrete CMS 9.5.1 or later, which addresses the mass assignment flaw according to the vendor release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. The fix version of 9.5.1 is inferred from the reference URL naming convention and vendor disclosure; it has not been independently verified against a changelog diff. If immediate patching is not feasible, a compensating control is to restrict site registration to trusted users only, reducing the pool of low-privilege accounts that can reach the profile-edit endpoint. Additionally, administrators can audit whether per-user IP-pinning is enforced platform-wide through server-side configuration rather than relying on per-user flags, though this depends on CMS configuration options available in the installed version. Disabling user self-service profile editing entirely is a high-impact workaround that eliminates the attack surface but also removes legitimate functionality. There is no known network-layer control that would block this attack without blocking normal user profile management.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31362
GHSA-wmw3-3fv3-h54w