Miggo Logo
Miggo Vulnerability Database
CVE-2022-43693

CVE-2022-43693: Concrete CMS vulnerable to Cross-site Request Forgery

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-43693
GHSA ID
GHSA-w8fp-3gwq-gxpw
EPSS Score
0.64075%
CWE
CWE-352
Published
11/14/2022
Updated
1/29/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
concrete5/concrete5composer< 8.5.108.5.10
concrete5/concrete5composer>= 9.0.0RC1, < 9.1.39.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing state parameter validation in the OAuth flow. The patch notes explicitly mention adding state parameter handling, which is a critical CSRF protection mechanism in OAuth2. The AbstractService class would logically contain authorization handling code, and ExternalUserProvider would handle authentication validation - both would require state parameter validation to prevent CSRF. The high confidence comes from: 1) Official patch notes specifically mentioning state parameter addition 2) Standard OAuth2 security requirements 3) Concrete CMS's architecture patterns for authentication handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *MS is vuln*r**l* to *SR* *u* to t** l**k o* "St*t*" p*r*m*t*r *or *xt*rn*l *on*r*t* *ut**nti**tion s*rvi** *or us*rs o* *on*r*t* w*o us* t** "out o* t** *ox" *or* O*ut*.

Reasoning

T** vuln*r**ility st*ms *rom missin* st*t* p*r*m*t*r v*li**tion in t** O*ut* *low. T** p*t** not*s *xpli*itly m*ntion ***in* st*t* p*r*m*t*r **n*lin*, w*i** is * *riti**l *SR* prot**tion m****nism in O*ut**. T** `**str**tS*rvi**` *l*ss woul* lo*i**ll