CVE-2025-3153 Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 - CSRF and XSS in Concrete CMS Custom Address attribute

🗓️ 03 Apr 2025 00:17:14Reported by ConcreteCMSType

Vulnerability in Concrete CMS allows CSRF and XSS attacks on address attribute in certain versions.

Reporter	Title	Published	Views	Family All 12
Circl	CVE-2025-3153	3 Apr 202503:06	–	circl
CNNVD	Concrete CMS 安全漏洞	3 Apr 202500:00	–	cnnvd
CVE	CVE-2025-3153	3 Apr 202500:17	–	cve
EUVD	EUVD-2025-9568	3 Oct 202520:07	–	euvd
Github Security Blog	Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)	3 Apr 202504:41	–	github
NVD	CVE-2025-3153	3 Apr 202502:15	–	nvd
OSV	GHSA-CMM4-P9V2-Q453 Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)	3 Apr 202504:41	–	osv
Positive Technologies	PT-2025-14567 · Unknown · Concrete Cms	3 Apr 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-3153	5 Apr 202500:23	–	redhatcve
Snyk	Cross-site Request Forgery (CSRF)	3 Apr 202500:49	–	snyk

[
  {
    "defaultStatus": "unaffected",
    "product": "Concrete CMS",
    "repo": "https://github.com/concretecms/concretecms",
    "vendor": "Concrete CMS",
    "versions": [
      {
        "lessThanOrEqual": "9.3.4RC1",
        "status": "affected",
        "version": "9",
        "versionType": "git"
      },
      {
        "lessThan": "8.5.20",
        "status": "affected",
        "version": "5",
        "versionType": "git"
      }
    ]
  }
]

Source	Link
github	www.github.com/concretecms/concretecms/pull/12511
documentation	www.documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes
github	www.github.com/concretecms/concretecms/releases/tag/8.5.20
github	www.github.com/concretecms/concretecms/pull/12512

03 Apr 2025 18:41Current

CVSS 45.1

EPSS0.00333