[Concrete CMS] Stored unauth XSS in calendar event via CSRF

We discussed this vulnerability during Episode 91 on 18 October 2021

Straight forward XSS and CSRF issues in Concrete CMS when adding a calendar event. The XSS was closed as a non-issue because the application provides users control over the HTML, including adding scripts. The CSRF aspect though is just another illustration as to how easy of a vulnerability it is to creep up when you don’t design the code around centralized security.

This was simply a case of the CSRF token not being validated at all, the fix commit shows how simple the issue was. It was just missing a call to $this->validateAction(). In my opinion where there is one of these sorts of issues, there are bound to be more.