Description
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Published: 2026-05-21
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Concrete CMS versions older than 9.5.0 contain a Cross Site Request Forgery flaw located at concrete/controllers/dialog/express/association/reorder. The flaw permits an attacker to force a logged‑in user to reorder expressions without the user’s consent, potentially altering site layout or content flow. While the CVSS v.4.0 score of 2.3 indicates a low overall impact, the vulnerability could lead to unauthorized configuration changes within the CMS. The weakness is classified as CWE-1275 and CWE-352.

Affected Systems

The affected product is Concrete CMS 9, specifically all releases prior to 9.5.0. No specific patch versions are listed beyond the upgrade to 9.5.0, which includes the CSRF protection fix. Administrators should confirm that the running instance is below 9.5.0 and plan the required upgrade path accordingly.

Risk and Exploitability

Because the flaw allows unauthorized action on a state‑changing endpoint, an attacker who can entice a legitimate user into a malicious page can reorder expressions, potentially altering the site layout or content flow. The CVSS score of 2.3 signifies a low severity risk, and with no EPSS score available and no presence in KEV, the likelihood of widespread exploitation appears limited at present. However, the cross‑site nature of the attack means that any user who remains logged in and visits a malicious site poses a risk, particularly on public websites or where users have extensive editing privileges.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Concrete CMS installation to version 9.5.0 or later to apply the CSRF fix.
  • Ensure that the reorder endpoint requires authentication and a CSRF token; if custom overrides exist, re‑enable the default validation or add an additional anti‑CSRF mechanism.
  • Restrict the reorder functionality to users who truly need it, or apply role‑based access control to minimize exposure.

Generated by OpenCVE AI on May 21, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Title Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder
Weaknesses CWE-1275
CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-21T21:29:13.458Z

Reserved: 2026-05-12T17:09:32.980Z

Link: CVE-2026-8415

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:51.347

Modified: 2026-05-21T22:16:51.347

Link: CVE-2026-8415

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:30:21Z

Weaknesses