CVE-2021-40101

HIGH

Concrete CMS < 8.5.7 - Unauthenticated Password Change via Dashboard

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-40101. PoCs published by S1lkys.

AI-analyzed exploit summary This repository contains a functional JavaScript payload that exploits CVE-2021-40101, combining XSS (via CVE-2021-28145) and CSRF to change an admin's password in Concrete5 8.5.4. The PoC steals a CSRF token and submits a password change request without requiring the old password.

Description

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

Exploits (1)

nomisec WORKING POC
by S1lkys · poc
https://github.com/S1lkys/CVE-2021-40101

This repository contains a functional JavaScript payload that exploits CVE-2021-40101, combining XSS (via CVE-2021-28145) and CSRF to change an admin's password in Concrete5 8.5.4. The PoC steals a CSRF token and submits a password change request without requiring the old password.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Concrete5 (formerly concrete5) versions below 9
Auth required
Prerequisites: Authenticated user with at least Editor privileges to create surveys · Victim admin must view the malicious survey results
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Permissions Required x_refsource_misc
https://hackerone.com/reports/1065577

Scores

CVSS v3 7.2
EPSS 0.0255
EPSS Percentile 83.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-732
Status published
Products (1)
concretecms/concrete_cms < 8.5.7
Published Nov 30, 2021
Tracked Since Feb 18, 2026