Skip to content

Commit 314dc54

Browse files
1 parent 1bac455 commit 314dc54

1 file changed

Lines changed: 31 additions & 10 deletions

File tree

advisories/unreviewed/2026/05/GHSA-jr5g-qv3g-rxxx/GHSA-jr5g-qv3g-rxxx.json renamed to advisories/github-reviewed/2026/05/GHSA-jr5g-qv3g-rxxx/GHSA-jr5g-qv3g-rxxx.json

Lines changed: 31 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,23 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-jr5g-qv3g-rxxx",
4-
"modified": "2026-05-26T15:32:09Z",
4+
"modified": "2026-06-24T18:28:42Z",
55
"published": "2026-05-21T21:30:38Z",
66
"aliases": [
77
"CVE-2026-8417"
88
],
9-
"details": "Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks  https://github.com/maru1009  for reporting.",
9+
"summary": "Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/<pkgHandle>`",
10+
"details": "Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team thanks @maru1009 for reporting this issue.",
1011
"severity": [
11-
{
12-
"type": "CVSS_V3",
13-
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
14-
},
1512
{
1613
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "concrete5/concrete5"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "9.5.1"
32+
}
33+
]
34+
}
35+
]
1836
}
1937
],
20-
"affected": [],
2138
"references": [
2239
{
2340
"type": "ADVISORY",
@@ -26,15 +43,19 @@
2643
{
2744
"type": "WEB",
2845
"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/concretecms/concretecms"
2950
}
3051
],
3152
"database_specific": {
3253
"cwe_ids": [
3354
"CWE-352"
3455
],
3556
"severity": "HIGH",
36-
"github_reviewed": false,
37-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-24T18:28:42Z",
3859
"nvd_published_at": "2026-05-21T21:16:33Z"
3960
}
4061
}

0 commit comments

Comments
 (0)