CVE-2017-18195

Name of the Vulnerable Software and Affected Versions: Concrete5 versions prior to 8.3.0

Description: An issue was discovered in tools/conversations/view ajax.php. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to "/index.php/tools/required/conversations/view ajax" with incremental cnvID integers.

Recommendations: For versions prior to 8.3.0, update to version 8.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/index.php/tools/required/conversations/view ajax" endpoint to prevent unauthorized comment enumeration.