CVE Catalog

CVE-2026-8428

High
Published: Translated: NVD NIST

Summary

Concrete CMS version 9.5.0 and below emits a CSRF token in the local_available_update.php view, but the do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php does not validate this token. This allows an attacker to perform a cross-site POST attack that can trigger a CMS update to a version specified by the attacker.

Risk Assessment

The lack of CSRF token validation poses a risk of unauthorized CMS updates, which could lead to the introduction of malicious code or unauthorized changes to the system.

Recommendation

It is recommended to update Concrete CMS to version 9.5.1 or later to mitigate this vulnerability. Additionally, CSRF token validation should be implemented in the do_update() method.

Original NVD description (English source)

Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate('do_update'). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string.  In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS