Tristan Mandani

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** An inverted CSRF token check in the `DeleteFile` controller allows unauthorized file deletion. The system incorrectly throws an error when the token is valid and proceeds with the deletion process when the token is invalid or missing. This flaw disables Cross-Site Request Forgery (CSRF) protection—a mechanism used to prevent unauthorized commands from being transmitted from a user the web application trusts—for the file deletion endpoint, enabling attacks against users with permissions to edit conversation messages. **Recommendations** Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the `DeleteFile` controller to minimize the risk of unauthorized file deletion.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** An Insecure Direct Object Reference (IDOR) exists in the 'AddMessage' and 'UpdateMessage' conversation controllers. These controllers accept user-supplied file attachment IDs through the `attachments[]` parameter and load files using the `find(File::class, $attachmentID)` function without verifying per-file permissions via `canViewFile()`. This allows a user with permission to post in any conversation to reference any file in the CMS file manager by its sequential ID, bypassing the file permission system. **Recommendations** Update to a version newer than 9.5.0. Set up a private storage location outside of the webroot for private files to ensure permissions are checked during viewing.