Nguyễn Văn Thiện

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** Remote Code Execution (RCE) is possible due to insecure deserialization in the `ExpressEntryList` block controller. An administrator with permissions to add blocks can bypass the ` fromCIF === true` protection mechanism by using the REST API. Since the REST API utilizes `json decode()`, the string "true" is interpreted as a PHP Boolean(true), allowing the injection of a malicious serialized payload into the `filterFields` database column. This payload executes when an administrator views or edits the block data, potentially leading to a full server takeover. **Recommendations** Update to a version newer than 9.5.0. As a temporary workaround, restrict administrator privileges to prevent unauthorized users from adding blocks to areas until the update is applied.