Eldudareeno

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

**Name of the Vulnerable Software and Affected Versions** Kuma versions prior to 2.7.25 Kuma versions prior to 2.9.15 Kuma versions prior to 2.11.13 Kuma versions prior to 2.12.10 Kuma versions prior to 2.13.5 **Description** The default `kuma-cp` configuration leaks the admin bootstrap token and signing keys to any webpage an operator visits while the control plane is reachable from their browser. This occurs because `CorsAllowedDomains: [".*"]` reflects any `Origin`, and `LocalhostIsAdmin: true` promotes requests from `127.0.0.1` to `mesh-system:admin`. A cross-origin `fetch()` from a malicious page can return the admin JWT and signing material. **Recommendations** Update to version 2.7.25. Update to version 2.9.15. Update to version 2.11.13. Update to version 2.12.10. Update to version 2.13.5. Set `KUMA API SERVER AUTHN LOCALHOST IS ADMIN=false` after retrieving the admin token. Set `KUMA API SERVER CORS ALLOWED DOMAINS` to an explicit allowlist, such as `http://localhost:5681,http://127.0.0.1:5681`. Avoid running `kuma-cp` on a machine used to browse untrusted websites.