Yonatan Drori

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** Stored Cross-Site Scripting (XSS) occurs via the OAuth integration name. The OAuth authorize template renders the admin-controlled integration name using the `t()` translation helper as a sprintf-style format. Because the HTML wrap is constructed via PHP string interpolation before the `t()` function executes, the integration name is output as raw HTML. This could allow a malicious administrator to intercept login submissions. **Recommendations** Update to a version newer than 9.5.0.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** Reflected Cross-Site Scripting (XSS) occurs in Legacy Pagination through HTML attribute injection. The `ConcreteCoreLegacyPagination` class constructs pagination links by raw-interpolating the `$URL` variable into the `href` attribute of an anchor tag. An authenticated administrator or report viewer with access to the '/dashboard/reports/forms/legacy' endpoint can trigger the payload in their session by clicking a crafted URL. **Recommendations** Update to a version newer than 9.5.0. Restrict access to the '/dashboard/reports/forms/legacy' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.9 **Description** Concrete CMS is subject to Cross Site Request Forgery (CSRF), a flaw where an attacker tricks a logged-in user into executing unwanted actions. This issue occurs at the 'concrete/controllers/dialog/logs/bulk/delete' endpoint. **Recommendations** Update to version 9.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Concrete CMS is subject to Cross Site Request Forgery (CSRF), a flaw where an attacker tricks a victim into performing actions they did not intend to do. This issue occurs at the 'concrete/controllers/dialog/page/bulk/delete' endpoint. **Recommendations** Update to version 9.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.0 **Description** Cross Site Request Forgery (CSRF) is possible at the 'concrete/controllers/dialog/page/bulk/cache' endpoint. CSRF is a type of attack that tricks a victim into submitting a malicious request. It occurs when a web application does not properly verify that the request was intentionally initiated by the user. **Recommendations** Update to version 9.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/dialog/page/bulk/design' endpoint. CSRF is a flaw that allows an attacker to induce users to perform actions they do not intend to perform. **Recommendations** Update to version 9.5.0.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/dialog/event/duplicate' endpoint. CSRF is a flaw that allows an attacker to trick a victim into performing actions they did not intend to do. **Recommendations** Update to version 9.5.0 or later. As a temporary workaround, restrict access to the 'concrete/controllers/dialog/event/duplicate' endpoint.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/dialog/express/association/reorder' endpoint. CSRF is a type of attack that tricks a victim into submitting a malicious request to a web application where they are currently authenticated. **Recommendations** Update to version 9.5.0 or later. As a temporary workaround, restrict access to the 'concrete/controllers/dialog/express/association/reorder' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** Concrete CMS fails to sanitize path traversal sequences in the `ptComposerFormLayoutSetControlCustomTemplate` field during the process of saving page type composer form layouts. An authenticated administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. When combined with the file uploader's extension-only validation, which allows PHP code to be saved within files using image extensions such as `.png`, this can lead to authenticated remote code execution (RCE), which is the ability to execute arbitrary commands on the target server remotely. **Recommendations** Update to a version newer than 9.5.0. As a temporary workaround, restrict composer form editing rights to only highly trusted administrators.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/backend/file' endpoint within the `removeFavoriteFolder($id)` function. CSRF is a flaw that allows an attacker to induce a user into performing actions they did not intend to do. **Recommendations** Update to version 9.5.0. As a temporary workaround, restrict access to the `removeFavoriteFolder($id)` function in the 'concrete/controllers/backend/file' endpoint.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/backend/file' endpoint within the `star()` function. CSRF is a flaw that allows an attacker to induce a user to perform actions they did not intend to do. **Recommendations** Update to version 9.5.0. As a temporary workaround, restrict access to the `star()` function in the 'concrete/controllers/backend/file' endpoint.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/backend/file' endpoint within the `rescan()` function. CSRF is a type of attack that tricks a victim into submitting a malicious request to a web application where they are authenticated. **Recommendations** Update to version 9.5.0 or later. As a temporary workaround, restrict access to the `rescan()` function in the 'concrete/controllers/backend/file' endpoint.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/backend/file' endpoint within the `rescanMultiple()` function. CSRF is a type of attack that tricks a victim into submitting a malicious request. It is not possible to execute this attack without user interaction. **Recommendations** Update to version 9.5.0 or later. As a temporary workaround, restrict access to the `rescanMultiple()` function in the 'concrete/controllers/backend/file' endpoint.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/backend/file' endpoint within the `approveVersion()` function. CSRF is a flaw that allows an attacker to induce a user to perform actions they did not intend to do. **Recommendations** Update to version 9.5.0. As a temporary workaround, restrict access to the `approveVersion()` function in the 'concrete/controllers/backend/file' endpoint.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** Stored Cross-Site Scripting (XSS) occurs via the 'external-link' page `cvName` because the `updateCollectionAliasExternal()` function bypasses sanitization. Stored XSS is a flaw where malicious scripts are permanently stored on the target server, which then serves them to other users. **Recommendations** Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the `updateCollectionAliasExternal()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.0 **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/dialog/logs/delete' endpoint. CSRF is a type of attack that tricks a victim into submitting a malicious request. It is not specified how many devices are affected or if there are real-world incidents. **Recommendations** Update to version 9.5.0 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.4.x **Description** Cross Site Request Forgery (CSRF) occurs at the 'concrete/controllers/backend/file' endpoint within the `addFavoriteFolder($id)` function. CSRF is a flaw that allows an attacker to induce a user to perform actions they did not intend to do. **Recommendations** Update to version 9.5.0. As a temporary workaround, restrict access to the `addFavoriteFolder($id)` function in the 'concrete/controllers/backend/file' endpoint.