Cross-Site Request Forgery and Cross-Site Scripting in Concrete CMS by Concrete
CVE-2025-3153

5.1MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 3 April 2025

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2025-3153?

Concrete CMS versions prior to 9.4.0RC2 and 8.5.20 exhibit vulnerabilities to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) due to improper sanitization of address outputs when the country field is unspecified. Limited access is granted to attackers who control users permitted to fill the address attribute, enabling them to extract data and potentially craft exploits. Existing entries in the database may remain vulnerable if they were introduced before the update, necessitating thorough database scrutiny for security. Mitigation steps are essential to secure user data and maintain the integrity of the CMS environment.

Affected Version(s)

Concrete CMS 9 <= 9.3.4RC1

Concrete CMS 5 < 8.5.20

References

https://github.com/concretecms/concretecms/pull/12512

https://github.com/concretecms/concretecms/pull/12511

https://documentation.concretecms.org/9-x/developers/intr...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2025
Vulnerability Reserved
Apr 2, 2025

Credit

Myq Larson

CVE-2025-3153 Data

JSON