Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the /ccm/frontend/conversations/get_rating endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.
Technical ContextAI
Concrete CMS is a PHP-based content management system with a built-in Conversations/Comments module. The vulnerable endpoint /ccm/frontend/conversations/get_rating is part of the front-end conversation API and accepts a message ID parameter without performing authorization checks on whether the requesting user is permitted to access the referenced message. CWE-862 (Missing Authorization) precisely describes the root cause: the application fails to verify that the actor has the right to access the resource identified by the supplied object reference. This allows sequential or arbitrary ID enumeration to map out conversation content structure. The CPE string cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* spans all versions, with affected range confirmed as 5.0 through 9.5.0 per EUVD-2026-31349.
RemediationAI
Upgrade to Concrete CMS 9.5.1, which is indicated as the fix release per the vendor's release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If an immediate upgrade is not feasible, the most targeted compensating control is to disable the Conversations/Comments feature entirely in the CMS settings if it is not actively used - this eliminates the vulnerable endpoint from the attack surface with no side effects for sites not relying on the feature. Alternatively, restrict access to the path /ccm/frontend/conversations/get_rating via web server deny rules (nginx deny all location block or Apache Require all denied directive); note this will break front-end rating display for legitimate users. No other vendor-documented workarounds are available. The exact patch version 9.5.1 is inferred from the reference URL and not independently verified against a tagged release; confirm the fix is present before removing compensating controls.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31349
GHSA-2xp7-rpvc-pjwc