GHSA-w8fp-3gwq-gxpw

Source

https://github.com/advisories/GHSA-w8fp-3gwq-gxpw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-w8fp-3gwq-gxpw/GHSA-w8fp-3gwq-gxpw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w8fp-3gwq-gxpw

Aliases

CVE-2022-43693

Published

2022-11-14T19:00:19Z

Modified

2023-11-08T04:10:45.542395Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Concrete CMS vulnerable to Cross-site Request Forgery

Details

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

Database specific

{
    "nvd_published_at": "2022-11-14T17:15:00Z",
    "github_reviewed_at": "2022-11-16T21:14:09Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.10

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0RC1

Fixed

9.1.3

Affected versions

9.*

9.0.0RC1

9.0.0RC3

9.0.0RC4

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2