Concrete CMS versions below 9.5.0 are exploitable because the user‑profile edit controller forwards the entire raw POST array to UserInfo::update() without validating fields. This flaw allows an attacker to change a user’s password without supplying the current password and to enable an arbitrary password change when they have the target user’s identifier in the request. In addition, the same POST payload permits disabling the per‑user IP pinning feature of the session validator, which is intended to detect session hijacking. The combined effect grants the attacker the ability to take over a user account and to evade session‑based security checks, thereby elevating privileges and potentially compromising the entire site.

Concrete CMS installations with versions earlier than 9.5.0 are affected. No sub‑version specifics were listed, but the vulnerability applies to all releases below the 9.5.0 threshold.

The CVSS 4.0 vector assigns a score of 5.3, indicating moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is remote, using the web interface, where an attacker can submit a crafted HTTP POST request to the profile edit endpoint to trigger the password change and session‑pinning bypass. Attackers can exploit the flaw remotely via the web interface by submitting a crafted HTTP POST request to the profile edit endpoint. Once the request is processed, the victim’s password can be altered and session‑hardening mitigations can be disabled, enabling further compromise. The exploit does not require system‑level access or prior compromise, making it a realistic threat for authenticated users who can reach the affected endpoint.