CVE-2023-48653

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 8.5.14 Concrete CMS versions 9 prior to 9.2.3

Description The issue allows Cross Site Request Forgery (CSRF) via the "ccm/calendar/dialogs/event/delete/submit" API endpoint. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.

Recommendations For Concrete CMS versions prior to 8.5.14, update to version 8.5.14 or later. For Concrete CMS versions 9 prior to 9.2.3, update to version 9.2.3 or later. As a temporary workaround, consider restricting access to the "ccm/calendar/dialogs/event/delete/submit" API endpoint to minimize the risk of exploitation.