In Concrete CMS 9.5.0 and earlier the RSS Displayer block accepts any feed URL supplied by a page editor and fetches it server‑side without validating redirects. This behaviour enables an attacker who can edit a page to trigger a redirect‑to‑internal request, effectively allowing the CMS to contact internal services that would otherwise be inaccessible. The flaw is a Server‑Side Request Forgery and falls under CWE‑918. Although the CVSS v4.0 score of 2.1 suggests a low severity impact, the attack can reveal internal network topology and provide a foothold for later exploitation.

Concrete CMS sites running version 9.5.0 or earlier are affected. The risk applies to any user with page‑editing permissions who can add or modify an RSS Displayer block. Versions newer than 9.5.0 are not affected according to the current advisory. No vendor‑specific patches or work‑arounds are listed, but the security team has acknowledged the issue.

The attack requires the attacker to have the ability to edit a page and add an RSS block, which is typically restricted to content editors. Once an arbitrary URL is supplied, the CMS can be forced to access internal resources, potentially revealing sensitive information or enabling lateral movement. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the low CVSS indicates only a limited impact if left unpatched. Nevertheless, the ability to reach internal services is a non‑trivial risk and should be mitigated promptly.