GitHub Advisory DatabaseGHSA-W8FP-3GWQ-GXPWConcrete CMS vulnerable to Cross-site Request Forgery
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
49.3%
Concrete CMS is vulnerable to CSRF due to the lack of “State” parameter for external Concrete authentication service for users of Concrete who use the “out of the box” core OAuth.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| concrete5/concrete5 | lt | 9.1.3 | |
| concrete5/concrete5 | lt | 8.5.10 |
References
documentation.concretecms.org/developers/introduction/version-history/8510-release-notes
documentation.concretecms.org/developers/introduction/version-history/913-release-notes
github.com/advisories/GHSA-w8fp-3gwq-gxpw
github.com/concretecms/concretecms/releases/8.5.10
github.com/concretecms/concretecms/releases/9.1.3
nvd.nist.gov/vuln/detail/CVE-2022-43693
www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
49.3%