Concrete CMS 9.5.0 and below is vulnerable to IDOR. The /ccm/frontend/conversations/message_detail endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed.
{
"cwe_ids": [
"CWE-862"
],
"severity": "MODERATE",
"nvd_published_at": "2026-05-21T22:16:49Z",
"github_reviewed": true,
"github_reviewed_at": "2026-06-24T21:07:30Z"
}