Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
AnalysisAI
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x before 9.5.1 allows a remote unauthenticated attacker to trigger unauthorized file-starring actions on behalf of an authenticated victim by luring them to a malicious page. The vulnerable endpoint is concrete/controllers/backend/file/star(), and successful exploitation results in a low-integrity modification of file bookmark state within the CMS. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting its narrow, low-impact scope.
Technical ContextAI
The vulnerability resides in Concrete CMS's backend file management controller at concrete/controllers/backend/file/star(), which handles user-specific file starring (bookmarking) actions. CWE-352 (Cross-Site Request Forgery) describes a class of flaws where state-changing server-side operations lack adequate origin verification, allowing attacker-crafted cross-origin requests to be executed under the identity of an authenticated user. The CVSS v4.0 vector includes AT:P (Attack Target Presence), indicating that exploitation requires a victim who is actively authenticated to the Concrete CMS instance. The affected CPE is cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:* spanning versions 9.0 through the version range just before the fix. The root cause is the absence of CSRF token validation or SameSite cookie enforcement on the file-starring endpoint.
RemediationAI
Upgrade Concrete CMS to version 9.5.1 or later. The fix is documented in the vendor's official release notes at https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes. If immediate patching is not feasible, a compensating control is to configure session cookies with the SameSite=Strict or SameSite=Lax attribute at the web server or reverse proxy layer, which prevents cross-origin requests from carrying authenticated session credentials and directly mitigates CSRF risk; note this may affect cross-domain integrations if any are in use. Additionally, restricting access to the /concrete/controllers/backend/ path via a web application firewall or reverse proxy to only authenticated internal networks reduces the attack surface, at the cost of preventing remote-authenticated admin workflows.
More in Concrete Cms
View allA bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Co
Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely expl
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to at
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Co
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire in
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insec
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from tho
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP ad
An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31369
GHSA-97jw-gr4m-c5v8