Search for packages
| purl | pkg:composer/opensource-workshop/connect-cms@2.40.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1b73-scr2-jucp
Aliases: CVE-2026-32299 GHSA-62ch-j6x7-722j |
Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature # Security Advisory — Page Content Retrieval (Improper Authorization) ## Summary An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In part of the page content retrieval feature, insufficient authorization checks could allow processing associated with non-public pages to be executed. If exploited, the contents and attachments of non-public pages may be obtained by a third party. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-3mj1-nbj8-c3gn
Aliases: CVE-2026-32279 GHSA-jh46-85jr-6ph9 |
Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin # Security Advisory — Page Management Plugin (SSRF) ## Summary A Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the external page migration feature of the Page Management Plugin, a Server-Side Request Forgery (SSRF) issue could occur. If exploited, it may allow access to internal destinations and could result in information disclosure. Exploitation requires privileges that allow use of the page management screen. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-7a8g-3pmq-kkej
Aliases: CVE-2026-32278 GHSA-mv3p-7p89-wq9p |
Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin # Security Advisory — Form Plugin (Stored XSS) ## Summary A Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the file field of the Form Plugin, Stored Cross-site Scripting (XSS) could occur. If exploited, arbitrary script could run in an administrator's browser, which may lead to unauthorized actions or information theft. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-mj73-wmdy-fben
Aliases: CVE-2026-32276 GHSA-hxqw-6qv7-cqfv |
Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin # Security Advisory — Code Study Plugin ## Summary An authenticated user may be able to execute arbitrary code in the Code Study Plugin. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the Code Study Plugin, an authenticated user could trigger unintended code execution. If exploited, it may lead to code execution on the server or information disclosure. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-nb92-9124-k3hp
Aliases: CVE-2026-32277 GHSA-cmfh-mpmf-fmq4 |
Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View # Security Advisory — Cabinet Plugin (DOM-based XSS) ## Summary A DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view. ## Affected Versions - 1.x series: >= 1.35.0, <= 1.41.0 - 2.x series: >= 2.35.0, <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In the Cabinet Plugin list view, DOM-based Cross-Site Scripting (XSS) could occur due to how saved names were rendered. If exploited, arbitrary script could run in the victim's browser, which may lead to unauthorized actions or information theft. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShop thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-qm2m-cwm1-s3fk
Aliases: CVE-2026-32300 GHSA-qr6x-wvxr-8hm9 |
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information # Security Advisory — My Page Profile Update (Improper Authorization) ## Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In part of the My Page profile update feature, another user's profile information or password could be modified. If exploited, arbitrary user accounts may be taken over. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShops thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||