CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
17.0%
Concrete CMS is vulnerable to Cross Site Request Forgery. The vulnerability is due improper implementation of anti csrf tokens within the following endpoint /ccm/system/dialogs/logs/delete_all/submit
. This issue can be exploited by an attacker by sending malicious url to the authenticated admin to delete server report logs.
documentation.concretecms.org/developers/introduction/version-history/923-release-notes
github.com/advisories/GHSA-qp42-5pj7-4ccm
github.com/concretecms/concretecms/pull/11764/commits/747d5bf776cc81c708f5d8f0d64a1e7eafb3f218
www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
17.0%