Primary

Context

Connect-CMS Improper Authorization Vulnerability in Profile Update Feature Allows Arbitrary User Information Modification

Vulnerability

A vulnerability exists in Connect-CMS versions 1.x through 1.41.0 and 2.x through 2.41.0, where improper authorization in the My Page profile update feature could lead to unauthorized modifications of user information. This issue allows authenticated users to change another user's profile details or password, potentially leading to account takeover.

Impact

Exploitation of this vulnerability could result in unauthorized changes to user profiles or passwords, with a risk of account takeover.

Reproduction

To reproduce this vulnerability, an authenticated user can access the My Page profile update feature. The vulnerability can be exploited by sending a profile update request for a user other than the logged-in user, bypassing the authorization checks that should prevent such actions.

Remediation

Users should update to Connect-CMS version 1.41.1 or 2.41.1.

Added: Mar 23, 2026, 10:32 PM

Updated: Mar 23, 2026, 10:32 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.3

remediation

0.0

relevance

4.6

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

6.3

remediation

0.0

relevance

4.6

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Connect-CMS Improper Authorization Vulnerability in Profile Update Feature Allows Arbitrary User Information Modification

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating