Login Sign Up

CVE-2021-40108

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in Concrete CMS allows attackers to trick authenticated users into unknowingly adding malicious calendar events. Attackers can create fake events that could contain malicious links or content. All Concrete CMS installations up to version 8.5.5 are affected.

💻 Affected Systems

Products:
  • Concrete CMS
Versions: through 8.5.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to trick authenticated user with calendar permissions into visiting malicious page while logged in.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could create calendar events containing malicious links that lead to phishing sites, malware downloads, or further attacks against users who interact with the events.

🟠

Likely Case

Attackers create spam or malicious calendar events that could trick users into visiting harmful websites or disclosing sensitive information.

🟢

If Mitigated

With proper CSRF protections, attackers cannot force users to create unauthorized calendar events, limiting impact to user education about suspicious calendar entries.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks are well-understood and easy to implement; requires user interaction but no special technical skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.6

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Download Concrete CMS 8.5.6 or later. 3. Replace existing files with patched version. 4. Clear cache if applicable.

🔧 Temporary Workarounds

Implement CSRF Protection Middleware

all

Add custom middleware to verify ccm_token on vulnerable endpoint

Implement token verification in application/concrete/src/Controller/Calendar/Dialogs/Event/AddController.php

🧯 If You Can't Patch

  • Restrict calendar event creation permissions to trusted administrators only
  • Implement web application firewall rules to block CSRF attempts to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if Concrete CMS version is 8.5.5 or earlier in admin dashboard or by examining version files

Check Version:

Check concrete/config/concrete.php or admin dashboard version display

Verify Fix Applied:

Verify installation is version 8.5.6 or later and test that ccm_token verification is enforced on /ccm/calendar/dialogs/event/add/save endpoint

📡 Detection & Monitoring

Log Indicators:

  • Multiple POST requests to /ccm/calendar/dialogs/event/add/save without valid ccm_token
  • Calendar event creation from unexpected IP addresses or user agents

Network Indicators:

  • CSRF attack patterns with missing or invalid anti-CSRF tokens
  • Requests to vulnerable endpoint from external referrers

SIEM Query:

source="web_logs" AND uri="/ccm/calendar/dialogs/event/add/save" AND (NOT ccm_token=* OR ccm_token="")

📊 Metadata

CVE ID: CVE-2021-40108
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: September 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40108, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)