CVE-2025-3153
📋 TL;DR
Concrete CMS versions below 8.5.20 and 9 below 9.4.0RC2 are vulnerable to CSRF and XSS attacks in the Address attribute when a country is not specified. Attackers with address attribute editing permissions can inject malicious scripts to steal limited data, modify some content, or disrupt the dashboard. Only users granted address attribute editing access can exploit this vulnerability.
💻 Affected Systems
- Concrete CMS
📦 What is this software?
Concrete Cms by Concretecms
Concrete Cms by Concretecms
Concrete Cms by Concretecms
⚠️ Risk & Real-World Impact
Worst Case
Attacker with address editing permissions could execute cross-site scripting to steal administrator session cookies, perform unauthorized actions via CSRF, render the dashboard unavailable, and modify limited site data.
Likely Case
Authenticated users with address editing permissions could inject malicious scripts to perform limited data theft or modification, potentially affecting other users who view the compromised address fields.
If Mitigated
With proper access controls limiting who can edit address attributes, impact is minimal to none as only authorized users could exploit the vulnerability.
🎯 Exploit Status
Exploitation requires authenticated access with address attribute editing permissions. Attack combines CSRF and XSS vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.5.20 for version 8.x, 9.4.0RC2 for version 9.x
Vendor Advisory: https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes
Restart Required: No
Instructions:
1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS 8.5.20 if using version 8.x. 3. Update to Concrete CMS 9.4.0RC2 if using version 9.x. 4. Review and sanitize existing address database entries as the patch only affects new data.
🔧 Temporary Workarounds
Restrict Address Attribute Permissions
allTemporarily remove or restrict permissions for editing address attributes to only essential administrators.
Navigate to Concrete CMS Dashboard > System & Settings > Permissions & Access > Access Entities
Input Validation for Address Fields
allImplement custom validation to ensure country field is always populated in address attributes.
Create custom form validation rules for address fields in Concrete CMS
🧯 If You Can't Patch
- Review and audit all user accounts with address attribute editing permissions, reducing access to minimum necessary
- Manually search database for malicious address entries and sanitize existing data
🔍 How to Verify
Check if Vulnerable:
Check Concrete CMS version in dashboard or via /concrete/config/app.php. Versions below 8.5.20 or 9.x below 9.4.0RC2 are vulnerable.Check Version:
Check Concrete CMS dashboard or examine /concrete/config/app.php for version informationVerify Fix Applied:
After updating, verify version shows 8.5.20 or higher for version 8.x, or 9.4.0RC2 or higher for version 9.x. Test address attribute functionality with empty country field.📡 Detection & Monitoring
Log Indicators:
- Unusual address field modifications
- Multiple failed login attempts followed by address edits
- JavaScript or HTML injection patterns in address data
Network Indicators:
- CSRF token validation failures
- Unexpected POST requests to address update endpoints
SIEM Query:
source="concretecms" AND (event="address_update" OR event="attribute_save") AND (country="" OR country=null)