Vulnerability-Lookup

GHSA-2237-5R9W-VM8J

Vulnerability from github – Published: 2025-02-07 20:50 – Updated: 2025-02-07 20:50

Summary

Connect-CMS information that is restricted to viewing is visible

Details

Impact

Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0).
- Impact by version
  - v1.8.0 ~ v1.8.3: It will be displayed in the text.
  - v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link.
- Target viewing restriction function
  - Frame publishing function (private, limited publishing)
  - IP Restriction Page
  - Password setting page

Patches (fixed version)

Apply v1.8.4.

Workarounds

Remove the site search (e.g. hide frames).。

References

none

Severity ?

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.3"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "opensource-workshop/connect-cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-07T20:50:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n - Information that is restricted from viewing in the search results of site searches (\u203b) can still be viewed via the main text (a feature added in v1.8.0).\n     - Impact by version\n         - v1.8.0 ~ v1.8.3: It will be displayed in the text.\n         - v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link.\n     - Target viewing restriction function\n         - Frame publishing function (private, limited publishing)\n         - IP Restriction Page\n         - Password setting page\n\n### Patches (fixed version)\n - Apply v1.8.4.\n\n### Workarounds\n - Remove the site search (e.g. hide frames).\u3002\n\n### References\nnone",
  "id": "GHSA-2237-5r9w-vm8j",
  "modified": "2025-02-07T20:50:20Z",
  "published": "2025-02-07T20:50:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-2237-5r9w-vm8j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensource-workshop/connect-cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Connect-CMS information that is restricted to viewing is visible"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted