GHSA-58c8-vvqw-cm7mMedium

Concrete CMS is vulnerable to IDOR combined with a missing authentication gate

Published
May 22, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request.

🎯 Affected products1

  • composer/concrete5/concrete5:< 9.5.1

🔗 References (3)