CVE-2026-8415

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder

CVSS 2.3 LOWEPSS 0.1%CWE-1275 CWE-352

In short

Concrete CMS 9 before version 9.5.0 has a weakness that allows attackers to trick users into performing unwanted actions on the site, such as reordering items, without the user's knowledge. This happens because the system doesn't properly verify that requests are legitimate.

Technical detail

A Cross Site Request Forgery (CSRF) vulnerability exists in the express association reorder endpoint (concrete/controllers/dialog/express/association/reorder) due to insufficient request validation. An unauthenticated attacker can craft a malicious webpage that, when visited by an authenticated administrator, performs unauthorized reordering of express associations through their browser session. The attack requires user interaction (visiting a malicious site) and has low integrity impact.

Summary generated and translated by AI from the official description.

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

Concrete CMS · Concrete CMS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes