Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 - CSRF and XSS in Concrete CMS Custom Address attribute
Description
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS versions before 9.4.0RC2 and 8.5.20 are vulnerable to CSRF and stored XSS via unsanitized address attributes, enabling limited information disclosure and data modification.
Vulnerability
Overview
Concrete CMS versions below 9.4.0RC2 and 8.5.20 are vulnerable to cross-site request forgery (CSRF) and stored cross-site scripting (XSS) in the Address attribute. The root cause is improper sanitization of address output when no country is specified, allowing an attacker to inject malicious scripts or forge requests. This issue affects both version 9.x (below 9.4.0RC2) and version 8.x (below 8.5.20) [1][4].
Exploitation
Conditions
An attacker must have the ability to fill in an address attribute, which is granted by a site administrator. The attack vector is network-based, requires low privileges (PR:L), and low user interaction (UI:P) according to the CVSS v4.0 vector. The attack complexity is low (AC:L) and no advanced techniques are needed. Exploitation can target the dashboard page, potentially rendering it unavailable [4].
Impact
Successful exploitation allows an attacker to glean limited information from the site, perform limited data modification, and cause denial of service to the dashboard page. The CVSS v4.0 score is 5.1 (medium), reflecting low impacts on confidentiality, integrity, and availability [4].
Mitigation
The vulnerability is fixed in Concrete CMS versions 9.4.0RC2 and 8.5.20. However, the fix only sanitizes new data uploaded after the update; existing database entries from before the update may still contain malicious payloads. Administrators are advised to update immediately and perform a database search to clean any previously injected exploits. The pull requests for the fix are available for version 9 and version 8 [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | >= 9.0.0, < 9.4.0RC2 | 9.4.0RC2 |
concrete5/concrete5Packagist | < 8.5.20 | 8.5.20 |
Affected products
3- Concrete CMS/Concrete CMSv5Range: 9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cmm4-p9v2-q453ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-3153ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notesghsaWEB
- github.com/concretecms/concretecms/pull/12511ghsaWEB
- github.com/concretecms/concretecms/pull/12512ghsaWEB
- github.com/concretecms/concretecms/releases/tag/8.5.20ghsaWEB
News mentions
0No linked articles in our index yet.