PT-2022-27003 · Unknown · Concrete Cms
Adrian Tiron
+1
·
Published
2022-11-14
·
Updated
2025-04-30
·
CVE-2022-43687
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS (formerly concrete5) versions below 8.5.10
Concrete CMS (formerly concrete5) versions 9.0.0 through 9.1.2
Description
The issue arises when Concrete CMS does not issue a new session ID upon successful OAuth authentication. This can lead to potential security risks.
Recommendations
For Concrete CMS versions below 8.5.10, update to Concrete CMS 8.5.10 or later.
For Concrete CMS versions 9.0.0 through 9.1.2, update to Concrete CMS 9.1.3 or later.
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms