PT-2026-22864 · Unknown · Concrete Cms

Z3Rco

·

Publicado

2026-03-04

·

Atualizado

2026-03-04

·

CVE-2026-2994

CVSS v3.1

6.8

Média

VetorAV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.4.8
Description Concrete CMS versions prior to 9.4.8 are susceptible to Cross-Site Request Forgery (CSRF) attacks initiated by a malicious administrator. The issue stems from the Anti-Spam Allowlist Group Configuration, specifically through manipulation of the group id parameter. This allows a security bypass, as changes are saved without proper CSRF token verification.
Recommendations Update Concrete CMS to version 9.4.8 or later.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

CVE-2026-2994
GHSA-6MXW-2VHF-42G5

Produtos afetados

Concrete Cms