Miggo Logo
Miggo Vulnerability Database
CVE-2023-48652

CVE-2023-48652: Concrete CMS Cross Site Request Forgery (CSRF)

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-48652
GHSA ID
GHSA-qp42-5pj7-4ccm
EPSS Score
0.48918%
CWE
CWE-352
Published
12/25/2023
Updated
12/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
concrete5/concrete5composer< 9.2.39.2.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the endpoint /ccm/system/dialogs/logs/delete_all/submit which maps to a controller action. Release notes indicate the fix involved adding CSRF token validation and restricting to POST requests (commit 11764). The submit handler for log deletion would be the direct processing function for this endpoint. CSRF vulnerabilities typically occur when state-changing actions lack anti-CSRF protections, which aligns with the described attack vector of admin-triggered log deletion via forged requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *MS * ***or* *.*.* is vuln*r**l* to *ross Sit* R*qu*st *or**ry (*SR*) vi* `/**m/syst*m/*i*lo*s/lo*s/**l*t*_*ll/su*mit`. *n *tt**k*r **n *or** *n **min us*r to **l*t* s*rv*r r*port lo*s on * w** *ppli**tion to w*i** t**y *r* *urr*ntly *ut**nt

Reasoning

T** vuln*r**ility *xists in t** *n*point /**m/syst*m/*i*lo*s/lo*s/**l*t*_*ll/su*mit w*i** m*ps to * *ontroll*r **tion. R*l**s* not*s in*i**t* t** *ix involv** ***in* *SR* tok*n `v*li**tion` *n* r*stri*tin* to `POST` r*qu*sts (*ommit *****). T** su*mi
CVE-2023-48652: Concrete CMS Logs Dialog CSRF | Miggo