GHSA-8c7c-h7px-267gMedium

Concrete CMS is vulnerable to IDOR in surveys

Published
May 22, 2026
Last Modified
June 24, 2026

🔗 CVE IDs covered (1)

📋 Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint.

🎯 Affected products1

  • composer/concrete5/concrete5:< 9.5.1

🔗 References (3)