GHSA-3rxx-8f33-7p6p

Source

https://github.com/advisories/GHSA-3rxx-8f33-7p6p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3rxx-8f33-7p6p/GHSA-3rxx-8f33-7p6p.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3rxx-8f33-7p6p

Aliases

CVE-2023-48653

Published

2024-02-29T03:33:14Z

Modified

2024-12-16T21:50:33.206943Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Concrete CMS Cross Site Request Forgery (CSRF) vulnerability

Details

Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.

Database specific

{
    "nvd_published_at": "2024-02-29T01:41:34Z",
    "github_reviewed_at": "2024-02-29T20:10:02Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-352"
    ],
    "github_reviewed": true
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.14

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.2.3

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0RC2

9.2.0

9.2.1

9.2.2