CVE-2025-3153

EPSS 0.09%
Veröffentlicht 03.04.2025 02:15:20
Zuletzt bearbeitet 04.09.2025 15:54:07
Quelle ff5b8ace-8b95-4078-9743-eac1ca
CVE-Watchlists
Login
Unerledigt
Login

Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified.  Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. 
The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1  with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Concretecms ≫ Concrete Cms Version < 8.5.20

Concretecms ≫ Concrete Cms Version >= 9.0 < 9.4.0

Concretecms ≫ Concrete Cms Version9.4.0 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.256

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.3	3.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
ff5b8ace-8b95-4078-9743-eac1ca5451de	5.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes

Release Notes

https://github.com/concretecms/concretecms/pull/12511

Patch

Issue Tracking

https://github.com/concretecms/concretecms/pull/12512

Patch

Issue Tracking

https://github.com/concretecms/concretecms/releases/tag/8.5.20

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2025-3153

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-3153

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-3153

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-3153