216.73.217.98

CVE-2026-8237

· Published 21/05/2026 22:16 · Modified 21/05/2026 22:16

Labels: CVE-2026-8237 2026-05-21CVE-2026-8237CWE-862ff5b8ace-8b95-4078-9743-eac1ca5451de

Essential information

Published
21/05/2026 22:16
Modified
21/05/2026 22:16
Author
Creator
CVSS
6.3 MEDIUM (v3) 6.3 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ff5b8ace-8b95-4078-9743-eac1ca5451de
NVD
View on NVD

Affected products (CPE)

ProductCPE
concrete / cms cpe:2.3:a:concrete:cms:9.5.0:*:*:*:*:*:*:*
concrete / cms cpe:2.3:a:concrete:cms:<9.5.0:*:*:*:*:*:*:*

References