2025-04-03 Concrete CMS Security Advisory - Security fixes in 9.4.0 Release Candidates

2025-04-03 Concrete CMS Security Advisory - Security fixes in 9.4.0 Release Candidates

Apr 4, 2025
by lisan

Concrete CMS 9.4.0 Release Candidate 1 (RC1) which was released in March 2025 fixed Stored Cross-Site Scripting (XSS) in Folder Function CVE-2025-0660 Versions below 8 were not affected: 

Get A Free Website
  • Issue: The "Add Folder" functionality previously lacked proper input sanitization, allowing a rogue admin to inject XSS payloads through folder names.
  • Resolution: We've implemented input sanitization in the folder selector dropdown and addressed folder deletion issues to mitigate this vulnerability.​
  • Impact: The Concrete CMS Security Team gave this vulnerability a CVSS v4.0 score of 4.8, with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N indicating a medium severity level.
  • Acknowledgment: We extend our gratitude to Alfin Joseph for reporting this vulnerability via HackerOne
  •  

Concrete CMS 9.4.0 RC2 and Concrete CMS 8.5.20  which were released 1 April 2025 fixed CSRF and XSS in the Concrete CMS Custom Address attribute CVE-2025-3153

  • Issue: The Address custom attribute was vulnerable to CSRF and XSS attacks when rendering addresses unattached to a specific country.​
  • Resolution: sanitization
  • Impact:The Concrete CMS Security Team gave this vulnerability a CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L indicating a medium severity level. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. 
  • Additional Suggested Mitigations: The fix only sanitizes new data uploaded after  updating to Concrete CMS 9.4.0RC2. Existing database entries added before the update could still contain malicious code if there were successful exploits added prior to updating; a database search is recommended.
  • Acknowledgment: The Concrete CMS team’s very own Myq Larson reported this vulnerability. 

Concrete CMS 8.5.20 which was released 1 April 2025 made API key storage safer for sites running Concrete 8 on Microsoft OS. Versions prior to Concrete 8.5.20 were running an un-updatable league/oauth2 server dependency. Thanks Mlocati for both reporting AND submitting the fix.

For a comprehensive list of changes and enhancements in these candidate releases, please refer to the official 9.4.0 Release Notes.