Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-site request forgery in Concrete CMS 9.x before 9.5.0 permits a remote unauthenticated attacker to trigger unauthorized event duplication on behalf of an authenticated user by luring that user to an attacker-controlled page. The vulnerable endpoint is concrete/controllers/dialog/event/duplicate, which lacks CSRF token validation. The vendor-assigned CVSS v4.0 score of 2.3 reflects genuinely low impact - limited to a low-integrity effect on the vulnerable system - and no public exploit code or CISA KEV listing has been identified at the time of analysis.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The vulnerability resides in the event duplication dialog controller at concrete/controllers/dialog/event/duplicate, which processes state-changing requests without validating a CSRF token, making it susceptible to CWE-352 (Cross-Site Request Forgery). In CSRF attacks, the victim's browser automatically attaches session credentials to cross-origin requests, allowing an attacker's crafted page to issue authenticated actions without possessing those credentials. The CVSS v4.0 vector component AT:P (Attack Requirements: Present) is notable - it indicates exploitation relies on conditions outside the attacker's direct control, specifically the victim maintaining an active authenticated session at the time of the forged request. The affected CPE is cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* across the 9.x branch.
RemediationAI
Upgrade to Concrete CMS 9.5.1 or later. While the CVE description states the fix is present in 9.5.0, the vendor's referenced release notes URL points to version 9.5.1 (https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes), indicating that 9.5.1 is the safer confirmed target version. If immediate upgrade is not possible, restrict access to the path /concrete/controllers/dialog/event/duplicate at the web server or WAF layer to prevent external requests; note this will disable the event duplication dialog for all users. As an additional defense-in-depth measure, ensure session cookies have the SameSite attribute set to Strict or Lax, which browsers honor by blocking cross-site cookie transmission and mitigates CSRF generically - though this is not a substitute for patching and may affect cross-site integrations.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31370
GHSA-98qf-jvwj-2r5f