Concrete Cms

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog.  This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.

Cross-Site Request Forgery in Concrete CMS versions 9.0 through 9.5.0 exposes the approveVersion() backend file management endpoint to forged requests, allowing an unauthenticated remote attacker to manipulate file version approval state on behalf of an authenticated victim. The vendor's own CVSS v4.0 scoring assigns a 2.3 (Very Low) severity, reflecting the constrained impact - limited to low integrity change within the vulnerable component with no confidentiality or availability consequence. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, positioning this as a low-priority but legitimately tracked integrity weakness in CMS file workflows.

OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.

Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.

Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.

Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated administrators to inject malicious scripts through the Switch Language block, affecting any site where a rogue admin account exists. Public exploit code is available for this vulnerability. A patch is available in version 9.4.8 and later.

Stored XSS in Concrete CMS Legacy Form block below version 9.4.8 allows authenticated users with form creation permissions to inject malicious JavaScript into multiple-choice question options, which executes for all users viewing the affected form. Public exploit code exists for this vulnerability. Administrators should upgrade to version 9.4.8 or later to remediate the risk of session hijacking and data theft.

Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated users with page editing permissions to inject malicious scripts through the Legacy form Question field, targeting high-privilege accounts. Public exploit code exists for this vulnerability, which requires user interaction to execute. A patch is available in version 9.4.8 and later.

Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Configuration that allows authenticated administrators to modify security settings without valid CSRF token validation. An attacker with administrative privileges can exploit this to bypass security controls by manipulating the group_id parameter before token verification occurs. Public exploit code exists for this vulnerability, and a patch is available.

Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.

Concrete CMS versions below 9.4.8 contain a stored XSS vulnerability in the search block where unencoded page names and content are rendered in search results, allowing authenticated administrators to inject malicious JavaScript that executes for other users. Public exploit code exists for this vulnerability, which requires high privileges and user interaction to exploit. The vulnerability affects confidentiality and integrity but not availability.

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.