{“lastseen”:””,”description”:”Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys.\u00a0To be vulnerable, a\u00a0site would have to be configured in such a way that both public and private surveys are present on the site. An\u00a0unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey\u2019s endpoint.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of\u00a06.3 with vector\u00a0CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:N\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N. Thanks\u00a0 Zer0daySec https:\/\/github.com\/Zee99y \u00a0for reporting”,”published”:”2026-05-21T21:13:07.640Z”,”modified”:”2026-05-21T21:13:07.640Z”,”type”:”cve”,”title”:”Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys”,”source”:”ConcreteCMS”,”references”:”https:\/\/documentation.concretecms.org\/9-x\/developers\/introduction\/version-history\/951-release-notes”,”id”:”CVE-2026-8337″,”bulletinFamily”:””,”cwe”:[“CWE-639″,”CWE-565″],”cvelist”:null,”sourceData”:”Concrete CMS Concrete CMS 5.0″,”sourceHref”:””,”cvss”:{“score”:6.3,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:N\/VC:N\/VI:L\/VA:N\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Concrete CMS”,”version”:”5.0″,”vendor”:”Concrete CMS”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys.\u00a0To be vulnerable, a\u00a0site would have to be configured in such a way that both…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,23,12,21,13,7,11,5],"class_list":["post-56187","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-63","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n