Security
Fortbridge, an independent external penetration testing firm, has just concluded the 2022 annual penetration testing and vulnerability assessment of Concrete CMS Hosting as well as the open source project. If you host sites or intranets on Concrete CMS Hosting, we would be happy to provide you with a copy of the report upon request.
We chose Fortbridge to conduct the assessment this year because of their numerous HackerOne reports and remediation collaboration in the past year to selflessly improve the open source Concrete CMS.
We have released the security updates to Concrete CMS via two releases since there are two currently maintained versions of Concrete - 8.5.10 and 9.1.3. Also see the 8.5.10 Release Notes and 9.1.3 Release Notes. We created the following CVEs affecting Concrete CMS below 8.5.10 and 9.0.0 through 9.1.2:
-
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. Our security team ranked this 6.8 medium: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
-
This vulnerability is only exploitable if an attacker knows the Oauth client secret AND the Oauth client is set up without a redirect url which isn’t possible in v9.
-
Concrete CMS is vulnerable to an admin triggering a reflected XSS with a url. Our security team ranked this 6.4 medium CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N.
-
This vulnerability is only exploitable if the targeted administrator is using an old browser that lacks XSS protection
-
Concrete CMS is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. The Concrete CMS Security team scored this 5.9 medium: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N.
-
Concrete CMS is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. The Concrete CMS Security team scored this 5.9 medium: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N.
-
Concrete CMS is vulnerable to Reflected XSS in dashboard icons due to un-sanitized output. The Concrete CMS Security team scored this 5.9 medium: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N.
-
Concrete CMS is vulnerable to a high-load DoS since the authTypeConcreteCookieMap table can be filled up. The Concrete CMS Security team scored this 4.8 medium: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H.
-
The vulnerability is only exploitable by an attacker with a valid site user account
-
Concrete reveals sensitive details (secrets in environment variables and _SERVER) for those sites which accidentally leave debug error output enabled on a production site. The Concrete CMS Security team scored this 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
-
Mitigation for Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 - ensure Debug Mode is turned off in production according to Concrete Configuration Best practices.
-
Concrete is vulnerable to Session Fixation since it does not issue a new session ID upon successful OAuth authentication. The Concrete CMS Security team scored this 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N.
-
Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 DO migrate sessions when authenticating with username/password. Hence, if your site is set up to use username/password for logging-in,, your site is not affected by this vulnerability.
-
Concrete is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. The Concrete CMS Security team scored this 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N.
-
This vulnerability can only be exploited by an attacker who already has administrator credentials.
-
Concrete is potentially vulnerable to limited authentication bypass since strict comparison is not used for the legacy_salt . The Concrete CMS Security team scored this 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N.
-
This would only be exploitable if:
-
Concrete was used to compare integers instead of strings.
-
The attacked user signed up when the site was concrete5 ~v5.4 and the attacked user has not logged in since the site was updated above v5.4
-
The password hash for the user generated just right to look like an integer like "0b1111111"
-
-
Concrete is vulnerable to XSS in icons.The Concrete CMS Security team scored this 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N.
-
Concrete is vulnerable to XXE based DNS requests which can lead to IP disclosure. The Concrete CMS Security team scored this 2.2 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N.
The releases also contains a fix for HackerOne 1696363# reported by @_akbar_jafarli_
CVE-2022-43556 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
We recently announced that Concrete v8 will be end of life late 2022, but that doesn’t have to mean you won’t be able to run a Concrete v8 site beyond New Year's.
Updated 2022-09-14: Critical Security updates for Concrete v8 will be issued through end 2023. More info - https://www.concretecms.org/about/project-news/security/security-support-concrete-v8x
Original Blog:
Please be aware that Concrete CMS version 8 will be EOL on 31 Dec 2022. We encourage you to plan to upgrade to Concrete version 9 before then. You are going to love the new features that come with version 9!
Concrete CMS has had a privacy policy for years which encompassed the Concrete related websites and the open source project. Now we have created a Concrete CMS Hosting Privacy Policy for those who host their websites and intranets with us.
We are normally informed about supply chain hacks like this one from sources such as US-CERT (Homeland Security), DoD ARCYBER, SANS and the like. Official sources like these are important to follow to stay current, but yesterday we saw one happen more or less in real time.
Updated 2022-09-14: Critical Security updates for Concrete v8 will be issued through end 2023. More info - https://www.concretecms.org/about/project-news/security/security-support-concrete-v8x
Original Blog:
When we released Concrete CMS version 9 in 2021 we promised to continue to release security updates for the 8.5.x branch until at least May 1st, 2022.
We are now extending that support period through December 31st, 2022.
MITRE has finally published CVE-2021-22954 that was remediated with Version 9.0. The CSRF token is stored in dynamic Javascript in Concrete CMS versions below 9
If you are running a Concrete Version below 9, we recommend you implement the mitigation - a header configuration applied to nginx or apache.
We patch and update stuff all the time behind the scenes for our Concrete CMS Hosting clients without blogging about it. However, there is a lot of publicity about PWNKIT CVE-2021-4034, a major Linux vulnerability so hot off the presses that the CVE is still in “reserved” status. This vulnerability allows basic users to gain root access. Hence, we are writing to let you know that we have implemented the suggested mitigation for all our servers and have tested to verify that the mitigation works.
We listened! Concrete CMS now has a Configuration Best Practices documentation page which provides a checklist to help you make sure that your Concrete site is secure!
Update Dec 28, 2021. We are aware of CVE-2021-44832 and are continuing to patch any systems that include log4j updated as patches become available.
Update Dec 20 2021: We are keeping any systems that include log4j updated as patches become available additional CVEs related to Log4j. This blog relates to the original Apache Log4j CVE-2021-44228. We are aware of CVE-2021-45105 and have applied all available mitigations and updates.
Dec 15 2021: This blog is an update to the previous blog about Concrete and the Log4j vulnerability posted Dec 13.