0X4C616E

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** The OAuth 2.0 Authorization-Code Handler fails to verify account status. This allows users who are suspended, banned, or terminated employees, specifically those with the `uIsActive` variable set to 0, to successfully authenticate via OAuth and obtain valid API tokens. **Recommendations** Update to a version newer than 9.5.0.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.0 **Description** The user-profile edit controller passes the entire raw POST array to the `UserInfo::update()` function without field whitelisting. This allows registered users to change passwords without providing the current password for reauthorization. Additionally, this flaw enables users to disable per-user-IP-pinning in the session validator, a security feature designed to detect session hijacking. **Recommendations** Update to version 9.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.5.0 and earlier **Description** The RSS Displayer block accepts a feed URL from page editors and fetches it server-side without proper validation. This lack of validation allows for redirect-to-internal bypasses, where an attacker can potentially redirect requests to internal resources. **Recommendations** Update to a version later than 9.5.0. As a temporary workaround, restrict access to the RSS Displayer block for untrusted page editors.