Advisories for Composer/Opensource-Workshop/Connect-Cms package

A DOM-based Cross-Site Scripting (XSS) issue exists in the Cabinet Plugin list view.

An authenticated user may be able to execute arbitrary code in the Code Study Plugin.

An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information.

An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information.

A Stored Cross-site Scripting (XSS) issue exists in the file field of the Form Plugin.

A Server-Side Request Forgery (SSRF) issue exists in the external page migration feature of the Page Management Plugin.

Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0). Impact by version v1.8.0 ~ v1.8.3: It will be displayed in the text. v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link. Target viewing restriction function Frame …

Impact（影響） There is an Access control vulnerability on the management system of Connect-CMS. Affected Version : Connect-CMS v1.8.6, 2.4.6 and earlier Patches（修正バージョン） version v1.8.7, v2.4.7 Workarounds（運用回避手段） Upgrade Connect-CMS to latest version

This advisory duplicates another.

Impact（影響） There is a Privilege Escalation Vulnerability on the management system of Connect-CMS. Affercted Version : Connect-CMS 1.7.1, 2.3.1 and earlier Patches（修正バージョン） version 1.7.2, 2.3.1 Workarounds（運用回避手段） Upgrade Connect-CMS to latest version