Zer0Daysec

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.5.0 and earlier **Description** An Insecure Direct Object Reference (IDOR) exists in the surveys feature. This occurs when a site is configured with both public and private surveys. An unauthenticated attacker can vote in a restricted survey by submitting a restricted `optionID` through the public survey endpoint. **Recommendations** Update to a version later than 9.5.0.