Primary

Context

Concrete CMS IDOR Vulnerability in Surveys Allowing Unauthenticated Voting on Restricted Options

Vulnerability

Patched

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Concrete CMS versions 9.5.0 and below, specifically within the surveys feature. This vulnerability arises when a site hosts both public and private surveys. An unauthenticated attacker can exploit this by voting in a private survey through the public survey's endpoint, effectively bypassing restrictions. The Concrete CMS security team assigned this vulnerability a CVSS v.4.0 score of 6.3.

Impact

Exploitation of this vulnerability allows for unauthorized voting in private surveys, undermining the integrity of the survey results.

Remediation

Users can upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.

Added: May 21, 2026, 10:29 PM

Updated: May 21, 2026, 10:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.8

remediation

7.7

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS IDOR Vulnerability in Surveys Allowing Unauthenticated Voting on Restricted Options

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating