CVE-2026-32300
HIGH8.1EPSS 0.02%Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
描述
# Security Advisory — My Page Profile Update (Improper Authorization) ## Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. ## Affected Versions - 1.x series: <= 1.41.0 - 2.x series: <= 2.41.0 ## Patched Versions - 1.41.1 - 2.41.1 ## Description In part of the My Page profile update feature, another user's profile information or password could be modified. If exploited, arbitrary user accounts may be taken over. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version. ## Solution Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later. ## Credits OpenSource WorkShops thanks **Sho Odagiri** (小田切 祥) of **GMO Cybersecurity by Ierae, Inc.** for reporting this vulnerability.
受影響套件(1)
- Packagist/opensource-workshop/connect-cmsfrom 0, < 1.41.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32300
- PATCHhttps://github.com/opensource-workshop/connect-cms
- WEBhttps://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce
- WEBhttps://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1
- WEBhttps://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1
- WEBhttps://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9