Concrete CMS Cross-Site Request Forgery Vulnerability Allowing Remote Code Execution

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Concrete CMS versions 9.5.0 and below. The issue resides in the 'install_package()' method of 'concrete/controllers/single_page/dashboard/extend/install.php'. An attacker can exploit this vulnerability by causing an authenticated administrator to visit a malicious page while a targeted package is placed under 'DIR_PACKAGES/<handle>/'. This exploitation can lead to unauthorized package installation, executed as the web server user, thereby enabling remote code execution. The vulnerability is present when the victim has the 'canInstallPackages' permission.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, leading to unauthorized package installation and potential remote code execution on the server.