Primary

Context

Concrete CMS IDOR Vulnerability in Express Association Reorder Dialog

Vulnerability

Patched

An Insecure Direct Object Reference (IDOR) vulnerability combined with improper authorization levels has been identified in Concrete CMS versions 9.5.0 and below. This issue occurs in the Express association Reorder dialog, where it can lead to cross-entity state tampering with view-only permissions on a specific entry. The vulnerability is present on websites using Express and relying on Express entity ordering.

Impact

Exploitation of this vulnerability could result in unauthorized modifications to the state of entities, allowing for cross-entity tampering in Express associations.

Added: May 26, 2026, 4:00 PM

Updated: May 26, 2026, 4:00 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.0

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.0

remediation

7.7

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS IDOR Vulnerability in Express Association Reorder Dialog

Vulnerability

Impact

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating