Description
Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions 9.5.0 and prior allow an unauthenticated actor to discover the existence of any conversation message by ID and read its rating score through the '/ccm/frontend/conversations/get_rating' endpoint. The flaw is a classic indirect object reference (IDOR) that does not provide modification authority, but still leaks potentially sensitive data about user interactions. The underlying weakness corresponds to CWE‑862, Missing Authorization, which permits read‑only exposure of data that should be protected by authentication or role checks.

Affected Systems

The issue affects Concrete CMS, specifically all releases up to and including 9.5.0. Users running these versions must verify their installation and apply the vendor’s fix or upgrade to a later version.

Risk and Exploitability

With a CVSS score of 6.3, the vulnerability is considered moderate. The endpoint is publicly reachable, so an attacker only needs to supply a message ID to read the rating, making exploitation straightforward once the ID is known. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, but the absence of authentication controls and the straightforward attack surface still pose a tangible risk of data leakage in affected systems.

Generated by OpenCVE AI on May 21, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Concrete CMS release that contains the fix for IDOR exposure (9.5.1 or newer).
  • If an upgrade is not immediately possible, restrict the '/ccm/frontend/conversations/get_rating' endpoint to authenticated users with appropriate permissions, ensuring that only authorized personnel can query message ratings.
  • Monitor API usage logs for unexpected or unauthenticated rating requests and investigate promptly.

Generated by OpenCVE AI on May 21, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/get_rating' endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting.
Title Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rating'
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T12:29:59.743Z

Reserved: 2026-05-09T16:01:16.574Z

Link: CVE-2026-8239

cve-icon Vulnrichment

Updated: 2026-05-22T12:29:55.878Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T22:16:50.010

Modified: 2026-05-26T17:25:49.037

Link: CVE-2026-8239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:00:14Z

Weaknesses