We are excited to announce the release of Concrete version 9.2.3, as well as an update for Concrete CMS version 8.5, now at version 8.5.14. These releases come with a number of security updates, reinforcing our commitment to the security and reliability of Concrete CMS.
2023-12-05 Concrete CMS New CVEs and CVE Updates
The CVE review also identified some CVEs which needed to have the affected versions tweaked. A special thank you goes out to all community members who diligently report vulnerabilities via our channels on Concrete CMS Security and HackerOne. Your contributions are invaluable in helping us maintain a robust and secure platform.
Fixes in both Releases 9.2.3 and 8.5.14
The following are security fixes implemented in both Concrete 9.2.3 and 8.5.14:
- CVE-2023-48653: We fixed a Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit by updating Update Dialog endpoints to only accept Post requests with tokens included Prior to fix, an attacker could force an admin to delete events on the site because the event ID is numeric and sequential. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Thanks Veshraj Ghimire for reporting.
- CVE-2023-48650: Addressed a Stored XSS vulnerability in Layout Preset Name. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N Thanks Solar Security CMS Research, with d0bby, wezery0, silvereniqma in collaboration for reporting!
CVEs Fixed in 9.2.3
The following CVEs were fixed in 9.2.3:
- CVE-2023-44762: Reflected XSS in Tags. The file this touches is in Bedrock, using a custom library we wrote in version 9.2.0, hence the vulnerability only affects 9.2.0-9.2.2.
- CVE-2023-44764: Fixed Stored XSS in Concrete Site Installation in Name parameter.
- CVE-2023-48652: Cross-Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated. The Concrete CMS Security team scored this 6.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. This does not affect versions below 9. Thanks Veshraj Ghimire for reporting.
- CVE-2023-48651: by updating Update Dialog endpoints to only accept Post requests with tokens included. Prior to fix Cross Site Request Forgery (CSRF) to delete files vulnerability is present at /ccm/system/dialogs/file/delete/1/submit. The Concrete CMS Security team scored this 4.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L This does not affect versions below 9. Thanks Veshraj Ghimire for reporting.
- CVE-2023-49337: Stored XSS on Admin Dashboard via /dashboard/system/basics/name. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N Thanks Ramshath MM for reporting H1 2232594. This vulnerability is not present in Concrete 8.5 and below.
Updated CVEs
Upon review, we have identified that the impacted versions for the following CVEs needs to be reduced.
- CVE-2023-28476 only affects Concrete versions 9.0-9.1.3 because the file details page does not exist in the Concrete Dashboard below version 9.0.0
- CVE-2023-28474 only affects 9.0-9.1.3. It was a bug that was introduced in version 9.0.0.
- CVE-2023-28471only affects 9.0-9.1.3 since Concrete versions below 9 do not use containers.
Acknowledgements
We would like to extend our heartfelt gratitude to the dedicated individuals and teams who have played a crucial role in identifying and addressing security vulnerabilities in Concrete CMS. Their contributions have been instrumental in enhancing the security and reliability of our platform.
Kudos to the Concrete CMS Security Team for their relentless efforts in assessing, scoring, and addressing each reported vulnerability, ensuring that Concrete CMS remains a secure and reliable platform.
We also want to thank the broader Concrete CMS community for their ongoing support and efforts in reporting vulnerabilities. It is through this collective vigilance and collaboration that we can continue to uphold high standards of security for all our users.
These updates are part of our ongoing effort to ensure the highest standards of security in Concrete CMS. We encourage all users of Concrete CMS to update to the latest versions to benefit from these security improvements.
Stay informed and secure with Concrete CMS!