Primary

Context

Concrete CMS Password Change Vulnerability and Session Hardening Bypass

Vulnerability

Patched

A vulnerability exists in Concrete CMS versions prior to 9.5.0 that allows users to change passwords without proper authorization and bypass session hardening measures. The issue arises because the user-profile edit controller transmits the entire raw POST array to the UserInfo::update() method without implementing field whitelisting. This flaw enables password changes without requiring the current password and allows registered users to disable the per-user IP pinning in the session validator, a feature designed to detect session hijacking.

Impact

Exploitation of this vulnerability allows for unauthorized password changes and the ability to disable session IP pinning, increasing the risk of session hijacking.

Remediation

Users can upgrade to Concrete CMS version 9.5.0 or later to address this vulnerability.

Added: May 21, 2026, 10:33 PM

Updated: May 21, 2026, 10:33 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Password Change Vulnerability and Session Hardening Bypass

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating