GHSA-P8P9-5953-H9JW Concrete CMS is vulnerable to IDOR in AddMessage/UpdateMessage

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em-findFile::class,...