CVE-2025-3153: 
PHP vulnerability analysis and mitigation

Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. The vulnerability was discovered and reported by Myq Larson, with patches released in April 2025 (NVD, Release Notes).

The vulnerability stems from insufficient sanitization of address data in the Concrete CMS Address attribute when no country is specified. The issue affects the output rendering of addresses, potentially allowing for both Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. The Concrete CMS security team assigned this vulnerability a CVSS v4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L (NVD).

The impact of this vulnerability is limited by several factors. Attackers must have been granted the ability to fill in an address attribute by a site administrator. While attackers can potentially glean limited information from the site, the amount and type of data accessible is restricted by mitigating controls and the attacker's access level. Limited data modification is possible, and the dashboard page could be rendered unavailable (Release Notes).

The vulnerability has been patched in Concrete CMS version 9.4.0RC2 and version 8.5.20. The fix involves proper sanitization of address data output. However, it's important to note that the fix only sanitizes new data uploaded after the update. Existing database entries added before the update will remain vulnerable if they contain successful exploits. A database search is recommended to identify and clean any potentially compromised entries (Release Notes).