Primary

Context

Concrete CMS IDOR Vulnerability in File Usage Dialog Endpoint

Vulnerability

Patched

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Concrete CMS versions through 9.5.0. The issue arises from a missing authentication check in the file usage dialog endpoint, which allows unauthenticated users to access internal site structure data by sending a GET request with a specific file ID. This data includes page IDs, versions, and URL paths, potentially exposing information from pages with restricted permissions.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of internal site structure data, including sensitive information from pages with restricted permissions.

Added: May 21, 2026, 10:38 PM

Updated: May 21, 2026, 10:38 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS IDOR Vulnerability in File Usage Dialog Endpoint

Vulnerability

Impact

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating