CVE-2023-48653
published 2024-02-29CVE-2023-48653: Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an…
PriorityP417medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.28%
19.5th percentile
Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 8.5.14 | 8.5.14 |
| concrete5 | concrete5 | >= 9.0.0 < 9.2.3 | 9.2.3 |
| concretecms | concrete_cms | < 8.5.14 | 8.5.14 |
| concretecms | concrete_cms | >= 9.0.0 < 9.2.3 | 9.2.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
ghsa·2024-02-29
CVE-2023-48653 [MEDIUM] CWE-352 Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.
OSV
Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
osv·2024-02-29
CVE-2023-48653 [MEDIUM] Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://documentation.concretecms.org/developers/introduction/version-history/923-release-noteshttps://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updateshttps://documentation.concretecms.org/developers/introduction/version-history/923-release-noteshttps://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates
2024-02-29
Published