Session ID Not Refreshed After OAuth Authentication in Concrete CMS (formerly concrete5) Versions 8.5.10 and Below 9.1.3

Session ID Not Refreshed After OAuth Authentication in Concrete CMS (formerly concrete5) Versions 8.5.10 and Below 9.1.3

CVE-2022-43687 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Learn more about our Cms Pen Testing.