Vulnerability Description
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
CVSS Score
8.8
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 8.5.10 |
Related Weaknesses (CWE)
References
- https://documentation.concretecms.org/developers/introduction/version-history/85Release NotesVendor Advisory
- https://documentation.concretecms.org/developers/introduction/version-history/91Release NotesVendor Advisory
- https://github.com/concretecms/concretecms/releases/8.5.10PatchRelease NotesThird Party Advisory
- https://github.com/concretecms/concretecms/releases/9.1.3PatchRelease NotesThird Party Advisory
- https://www.concretecms.org/about/project-news/security/concrete-cms-security-adVendor Advisory
- https://documentation.concretecms.org/developers/introduction/version-history/85Release NotesVendor Advisory
- https://documentation.concretecms.org/developers/introduction/version-history/91Release NotesVendor Advisory
- https://github.com/concretecms/concretecms/releases/8.5.10PatchRelease NotesThird Party Advisory
- https://github.com/concretecms/concretecms/releases/9.1.3PatchRelease NotesThird Party Advisory
- https://www.concretecms.org/about/project-news/security/concrete-cms-security-adVendor Advisory
FAQ
What is CVE-2022-43693?
CVE-2022-43693 is a vulnerability with a CVSS score of 8.8 (HIGH). Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
How severe is CVE-2022-43693?
CVE-2022-43693 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-43693?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.