GHSA-f54h-78c9-c24hLow
Concrete CMS: OAuth 2.0 Authorization-Code Handler Bypasses Account Status
🔗 CVE IDs covered (1)
📋 Description
For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens.
🎯 Affected products1
- composer/concrete5/concrete5:< 9.5.1