Concrete CMS Cross-Site Request Forgery Vulnerability in Package Update Process

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Concrete CMS versions 9.5.0 and below. The issue arises in the package update process, where the application fails to validate CSRF tokens before processing requests to the update endpoint. This oversight allows an attacker to manipulate an authenticated administrator into triggering a package upgrade without proper authorization. The vulnerability requires the targeted package to be already installed and for the administrator to have the permission to install packages.

Impact

Exploitation of this vulnerability could lead to unauthorized package upgrades, potentially allowing for malicious code execution if the upgraded package includes such functionality.

Reproduction

To reproduce this vulnerability, an attacker must craft a page that, when visited by an authenticated administrator, triggers a request to the vulnerable update endpoint without a valid CSRF token. This can be done by exploiting the lack of token validation in a state-changing GET request.

Remediation

Users are advised to update to Concrete CMS version 9.5.1 or later, where this vulnerability has been fixed.