CVE-2022-43693

Опубликовано: 14 нояб. 2022

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

Ссылки

https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes
Release Notes
Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes
Release Notes
Vendor Advisory
https://github.com/concretecms/concretecms/releases/8.5.10
Patch
Release Notes
Third Party Advisory
https://github.com/concretecms/concretecms/releases/9.1.3
Patch
Release Notes
Third Party Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31
Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes
Release Notes
Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes
Release Notes
Vendor Advisory
https://github.com/concretecms/concretecms/releases/8.5.10
Patch
Release Notes
Third Party Advisory
https://github.com/concretecms/concretecms/releases/9.1.3
Patch
Release Notes
Third Party Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия до 8.5.10 (исключая)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия от 9.0.0 (включая) до 9.1.2 (включая)

EPSS

Процентиль: 62%

0.00428

Низкий

8.8 High

CVSS3

Дефекты

CWE-352

Связанные уязвимости

GHSA-w8fp-3gwq-gxpw