Primary

Context

Concrete CMS Cross-Site Request Forgery Vulnerability in File Version Approval

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Concrete CMS versions through 9.5.0. The issue resides in the Backend\File::approveVersion method, where a victim with edit_file_contents permission can be manipulated into publishing a version of a file chosen by an attacker. This exploitation allows for downgrading to an older file version or activating an unpublished version from a co-editor.

Impact

Exploitation of this vulnerability could lead to unauthorized file version changes, allowing for potential downgrades of files or activation of unpublished versions, disrupting collaborative workflows and file management processes.

Remediation

Users should upgrade to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.

Added: May 26, 2026, 4:00 PM

Updated: May 26, 2026, 4:00 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.2

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

6.2

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Cross-Site Request Forgery Vulnerability in File Version Approval

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating