Concrete CMS Insecure Direct Object Reference Vulnerability in Conversation Message Controllers

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Concrete CMS versions 9.5.0 and prior. This issue arises in the AddMessage and UpdateMessage conversation controllers, where user-supplied file attachment IDs are processed without proper permission checks. As a result, users can bypass file access restrictions and reference any file in the CMS file manager using its sequential ID. The vulnerability could be exploited by any user who can post in conversations, leading to unauthorized access to files.

Impact

Exploitation of this vulnerability allows for file permission bypass, enabling unauthorized access to files through the CMS file manager.

Remediation

Users should upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed. Additionally, for sites with private files, it is recommended to set up a private storage location outside of the webroot to ensure proper permission checks are applied.