Listen to this Post
How the CVE works:
In Concrete CMS versions 9.5.0 and below, the `local_available_update.php` view emits a CSRF token via `$token->output(‘do_update’)` for the core update form. This token is sent to the browser as part of a POST form. However, the corresponding `do_update()` method inside `concrete/controllers/single_page/dashboard/system/update/update.php` never calls `$this->token->validate(‘do_update’)` to verify the token upon submission. Because the controller discards the token without any validation, an attacker can craft a cross-site POST request that triggers a core CMS update. The attacker can specify an arbitrary version string, provided two conditions are met: the victim user must pass the `canUpgrade()` check (i.e., have administrative upgrade permissions), and a valid update package matching the attacker’s version string must exist under the `DIR_CORE_UPDATES` directory. Successful exploitation leads to an unauthorized upgrade, potentially to a malicious or vulnerable core version, compromising the integrity and availability of the CMS. The vulnerability has a CVSS v4.0 base score of 7.5 (High) with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating low attack complexity but requiring user interaction and a passive network attacker.
DailyCVE Form:
Platform: Concrete CMS
Version: 9.5.0 and below
Vulnerability : CSRF validation missing
Severity: High (7.5)
date: 2026-05-21
Prediction: Patch expected 2026-06-15
What Undercode Say:
Check if vulnerable: grep -r "do_update" concrete/controllers/single_page/dashboard/system/update/update.php Look for missing token validation curl -X POST https://target.com/index.php/dashboard/system/update/update/do_update \ -d "update_version=9.5.1_malicious" \ --cookie "PHPSESSID=victim_session" Monitor update directory: ls -la DIR_CORE_UPDATES/
Exploit:
Attacker hosts malicious HTML form auto-submitting POST to `/dashboard/system/update/update/do_update` with parameter update_version=attacker_controlled. Victim admin clicks link while logged in – forces CMS update to arbitrary version if update archive exists.
Protection from this CVE:
Upgrade to patched Concrete CMS version (9.5.1 or higher) once available. Apply `$this->token->validate(‘do_update’)` in `do_update()` method. Enable CSRF protections globally and restrict update directory access.
Impact:
Unauthorized core update to malicious or vulnerable version, leading to full site compromise, data loss, or denial of service. Administrative privileges required but bypass CSRF protection.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin
(AutoGPT), Log Size Unbounded, CVE-2025-32425 (Medium)
