CVE-2023-48652

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0.0 through 9.2.2

Description The issue allows an attacker to force an admin user to delete server report logs on a web application to which they are currently authenticated via the API endpoint "/ccm/system/dialogs/logs/delete all/submit". This is a Cross Site Request Forgery (CSRF) issue.

Recommendations For Concrete CMS versions 9.0.0 through 9.2.2, update to version 9.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ccm/system/dialogs/logs/delete all/submit" API endpoint to minimize the risk of exploitation.