CVE-2022-43693

HIGH

Concrete CMS < 8.5.10 - Cross-Site Request Forgery via OAuth State Parameter Omission

Title source: llm
STIX 2.1

Description

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

Scores

CVSS v3 8.8
EPSS 0.0044
EPSS Percentile 35.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-352
Status published
Products (2)
concrete5/concrete5 0 - 8.5.10Packagist
concretecms/concrete_cms < 8.5.10
Published Nov 14, 2022
Tracked Since Feb 18, 2026