Concrete CMS Security Advisory 2022-10-31

Concrete CMS Security Advisory 2022-10-31


Oct 31, 2022
by lisan

Fortbridge, an independent external penetration testing firm, has just concluded the 2022 annual penetration testing and vulnerability assessment of Concrete CMS Hosting as well as the open source project. If you host sites or intranets on Concrete CMS Hosting, we would be happy to provide you with a copy of the report upon request. 

We chose Fortbridge to conduct the assessment this year because of their numerous HackerOne reports and remediation collaboration in the past year to selflessly improve the open source Concrete CMS. 

We have released the security updates to Concrete CMS via two releases since there are two currently maintained versions of Concrete - 8.5.10 and 9.1.3. Also see the 8.5.10 Release Notes and 9.1.3 Release Notes. We created the following CVEs affecting Concrete CMS below 8.5.10 and 9.0.0 through 9.1.2:

CVE-2022-43693 

  • Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. Our security team ranked this 6.8 medium: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
  • This vulnerability is only exploitable if an attacker knows the Oauth client secret AND the Oauth client is set up without a redirect url which isn’t possible in v9. 

CVE-2022-43692 

  • Concrete CMS is vulnerable to an admin triggering a reflected XSS with a url. Our security team ranked this 6.4 medium CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
  • This vulnerability is only exploitable if the targeted administrator is using an old browser that lacks XSS protection

CVE-2022-43694 

CVE-2022-43967

CVE-2022-43968

CVE-2022-43686 

  • Concrete CMS is vulnerable to a high-load DoS since the authTypeConcreteCookieMap table can be filled up. The Concrete CMS Security team scored this 4.8 medium: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
  • The vulnerability is only exploitable by an attacker with a valid site user account

CVE-2022-43691 

  • Concrete reveals sensitive details (secrets in environment variables and _SERVER) for those sites which accidentally leave debug error output enabled on a production site. The Concrete CMS Security team scored this 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • Mitigation for Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 - ensure Debug Mode is turned off in production according to Concrete Configuration Best practices

CVE-2022-43687 

  • Concrete is vulnerable to Session Fixation since it does not issue a new session ID upon successful OAuth authentication. The Concrete CMS Security team scored this 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
  • Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 DO migrate sessions when authenticating with username/password. Hence, if your site is set up to use username/password for logging-in,, your site is not affected by this vulnerability.

CVE-2022-43695 

  • Concrete is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. The Concrete CMS Security team scored this 3.1 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
  • This vulnerability can only be exploited by an attacker who already has administrator credentials. 

CVE-2022-43690 

  • Concrete is potentially vulnerable to limited authentication bypass since strict comparison is not used for the legacy_salt . The Concrete CMS Security team scored this 3.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
  • This would only be exploitable if:
    • Concrete was used to compare integers instead of strings.
    • The attacked user signed up when the site was concrete5 ~v5.4 and the attacked user has not logged in since the site was updated above v5.4
    • The password hash for the user generated just right to look like an integer like "0b1111111"

CVE-2022-43688 

CVE-2022-43689 

The releases also contains a fix for HackerOne 1696363# reported by @_akbar_jafarli_

CVE-2022-43556 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N