CVE-2023-48652: 
PHP vulnerability analysis and mitigation

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. This vulnerability was discovered and disclosed in December 2023, affecting versions 9.0 through 9.2.2 of Concrete CMS (NVD, Release Notes).

The vulnerability exists in the logs deletion functionality accessible through the path /ccm/system/dialogs/logs/delete_all/submit. The issue stems from insufficient CSRF protections in the endpoint. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

An attacker can exploit this vulnerability to force an authenticated admin user to delete server report logs on a web application to which they are currently authenticated. The Concrete CMS Security team scored this with a higher severity of 6.3 with CVSS v3 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (Vendor Advisory).

The vulnerability has been fixed in Concrete CMS version 9.2.3. Users are strongly advised to upgrade to this version. The fix involves updating Dialog endpoints to only accept Post requests with tokens included (Release Notes, Vendor Advisory).

The vulnerability was reported by security researcher Veshraj Ghimire, who was acknowledged by the Concrete CMS security team for their contribution to identifying this security issue (Vendor Advisory).