CVE-2022-43693

high

Description

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

References

Advisories
More

https://github.com/concretecms/concretecms/releases/9.1.3

https://github.com/concretecms/concretecms/releases/8.5.10

https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes

https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

Details

Source: Mitre, NVD

Published: 2022-11-14

Updated: 2025-04-30

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00466

Detections

Analytics