MEDIUM

GHSA-qv3x-mffx-9gw8

Concrete CMS is vulnerable to IDOR

상세

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The '/ccm/frontend/conversations/message_page' endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / concrete5/concrete5

최초 영향 버전: 0 수정 버전: 9.5.1

수정 composer require concrete5/concrete5:^9.5.1

참고

https://nvd.nist.gov/vuln/detail/CVE-2026-8238 [ADVISORY]
https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes [WEB]
https://github.com/concretecms/concretecms [PACKAGE]