Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery in Concrete CMS versions 9.0 through 9.5.0 exposes the approveVersion() backend file management endpoint to forged requests, allowing an unauthenticated remote attacker to manipulate file version approval state on behalf of an authenticated victim. The vendor's own CVSS v4.0 scoring assigns a 2.3 (Very Low) severity, reflecting the constrained impact - limited to low integrity change within the vulnerable component with no confidentiality or availability consequence. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, positioning this as a low-priority but legitimately tracked integrity weakness in CMS file workflows.
Technical ContextAI
Concrete CMS is a PHP-based content management system. The vulnerability resides in the backend file management controller located at concrete/controllers/backend/file, specifically within the approveVersion() method, which performs a state-changing operation (promoting a file version to approved status) without adequate verification that the HTTP request originated from the authenticated session owner. CWE-352 (Cross-Site Request Forgery) identifies the root cause class: the application relies on implicit browser credential transmission (session cookies) rather than requiring an unpredictable, per-request token tied to the user session. The affected CPE cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* confirms this is an application-layer weakness in the CMS software itself, not an underlying framework or OS dependency. The CVSS v4.0 vector component AT:P (Attack Requirements: Present) signals that the attack requires a precondition - specifically, an attacker-controlled page that the authenticated victim must load - while UI:P (User Interaction: Passive) confirms the victim need only visit a malicious URL without further active steps.
RemediationAI
Upgrade to Concrete CMS 9.5.1 or later - the vendor's release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes document the fix for this issue. Note the version discrepancy: the CVE description cites 9.5.0 as the threshold, but the reference URL targets the 9.5.1 release notes, so 9.5.1 should be treated as the confirmed remediated version until the vendor clarifies. If immediate upgrade is not possible, restrict network access to the backend file management interface (/index.php/ccm/system/backend/file or equivalent) to known trusted IP ranges via firewall or reverse proxy ACL - this reduces CSRF exposure by limiting who can reach the endpoint. Additionally, enforcing SameSite=Strict on session cookies at the web server or load balancer level will block cross-origin forged requests; be aware this may break legitimate cross-domain SSO or embedded integrations if present. Educating CMS editors and administrators about phishing-linked CSRF risks provides a lightweight compensating control during patch windows.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31363
GHSA-44q4-354f-c826