PT-2026-42545 · Unknown · Concrete Cms
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions 9.5.0 and earlier
Description
An authorization bypass exists in the Calendar Block. The function
action get events() fails to verify the canView permission on the calendar, which allows the disclosure of restricted event details.Recommendations
Update to a version later than 9.5.0.
As a temporary workaround, restrict access to the Calendar Block or the
action get events() function until the update is applied.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms