Unknown · Concrete Cms · CVE-2021-40108
**Name of the Vulnerable Software and Affected Versions**
Concrete CMS versions prior to 8.5.6
**Description**
The issue concerns a CSRF vulnerability in the Calendar component of Concrete CMS. Specifically, the `ccm token` is not verified on the "ccm/calendar/dialogs/event/add/save" endpoint, making it susceptible to cross-site request forgery attacks.
**Recommendations**
For versions prior to 8.5.6, update to version 8.5.6 or later to resolve the issue.
As a temporary workaround, consider restricting access to the "ccm/calendar/dialogs/event/add/save" endpoint until a patch is available.