CVE-2025-3153 in Concrete
Summary
by MITRE • 04/03/2025
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L Thanks Myq Larson for reporting.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
The vulnerability CVE-2025-3153 affects Concrete CMS versions prior to 9.4.0RC2 and 8.5.20, specifically targeting the Address attribute functionality where improper sanitization occurs when country information is absent. This issue represents a critical intersection of cross-site request forgery and cross-site scripting vulnerabilities that exploits the CMS's handling of incomplete address data. The flaw exists in the output rendering process where address attributes are not properly sanitized, creating potential attack vectors that can be leveraged by authenticated users with specific privileges. The vulnerability demonstrates a classic weakness in input validation and output sanitization practices, where the system fails to adequately process user-supplied data that lacks complete information fields.
The technical implementation of this vulnerability stems from the CMS's failure to properly escape or validate address data when country information is missing from the attribute input. According to CWE standards, this manifests as CWE-79 for cross-site scripting and CWE-352 for cross-site request forgery, though the specific manifestation in Concrete CMS creates a unique attack surface. When an attacker with appropriate privileges submits an address without country data, the system stores this incomplete information without proper sanitization. The vulnerability is particularly concerning because it requires only minimal privileges - specifically access to fill in address attributes - yet can potentially allow for data exfiltration and limited modification operations. The CVSS v4.0 score of 5.1 indicates a medium severity threat with network accessibility, low attack complexity, and user interaction requirements, but with potential for limited information disclosure and system availability impact.
The operational impact of this vulnerability extends beyond simple data exposure, as it can potentially render the dashboard page unavailable through malicious script injection or exploitation of the CSRF component. Attackers can leverage this vulnerability to gain limited information about the site's structure and data, though the extent of this information is constrained by existing mitigating controls and the attacker's access level. The security implications include potential data modification operations that could compromise the integrity of address records within the CMS. The dashboard availability risk represents a significant concern for administrators, as the attack surface could be used to disrupt normal administrative operations. This vulnerability affects the core CMS functionality where user-generated content is processed and displayed, creating a pathway for persistent threats that could undermine user trust and system integrity.
The remediation strategy for CVE-2025-3153 requires immediate attention to both the software update and database maintenance aspects. While the fix in Concrete CMS 9.4.0RC2 addresses new data processing, it does not automatically sanitize existing database entries that may have been compromised prior to the update. This creates a critical gap where previously exploited data remains vulnerable until manual database cleanup is performed. System administrators must conduct comprehensive database searches to identify and remediate any existing malicious entries that were introduced before the patch implementation. The security team's recommendation for database search and verification aligns with ATT&CK framework techniques related to credential access and privilege escalation, as the vulnerability requires specific user permissions to exploit effectively. Organizations should implement automated scanning processes to identify vulnerable installations and ensure proper patch management protocols are followed to prevent similar vulnerabilities from persisting in the database. The vulnerability underscores the importance of comprehensive vulnerability remediation that addresses both code-level fixes and historical data contamination risks.