Cross-site Request Forgery (CSRF) Affecting concrete5/concrete5 package, versions <8.5.20>=9.0.0RC1, <9.4.0RC2
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PHP-CONCRETE5CONCRETE5-9634306
- published3 Apr 2025
- disclosed3 Apr 2025
- creditMyq Larson
Introduced: 3 Apr 2025
NewCVE-2025-3153 (opens in a new tab)How to fix?
Upgrade concrete5/concrete5 to version 8.5.20, 9.4.0RC2 or higher.
Overview
concrete5/concrete5 is a concrete5 open source CMS.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the formatWithoutCountry() function, which does not sanitize the address attribute. A user with the ability to fill in an address attribute can modify data or disrupt the dashboard page by injecting malicious scripts or forging requests.
Note: The release notes state that "the fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be 'live' if there were successful exploits added under previous versions".