MITRE has finally published CVE-2021-22954 that was remediated with Version 9.0. The CSRF token is stored in dynamic Javascript in Concrete CMS versions below 9
If you are running a Concrete Version below 9, we recommend you implement the mitigation - a header configuration applied to nginx or apache.

To mitigate set the Cross-Origin-Resource-Policy to either same-origin or same-site, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)  if  unsure which to apply.
For Nginx: In the location block, add_header Cross-Origin-Resource-Policy "same-origin";
For Apache: In .htaccess or equivalent ,Header set Cross-Origin-Resource-Policy "same-origin"

Concrete CMS Security Team gave this a CVSS 3.1 score of 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Thanks "Solar Security Research Team" for reporting!