{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/form-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Connect CMS","Form Plugin"],"_cs_severities":["high"],"_cs_tags":["connect-cms","stored-xss","vulnerability","form-plugin"],"_cs_type":"advisory","_cs_vendors":["Connect"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability has been identified in the file field of the Form Plugin for Connect CMS. This flaw affects versions 1.x up to and including 1.41.0, as well as versions 2.x up to and including 2.41.0. Successfully exploiting this vulnerability could enable an attacker to inject and execute arbitrary JavaScript code within an administrator's browser session. This could lead to unauthorized actions being performed on the CMS, such as modifying website content, creating new administrative accounts, or stealing sensitive information managed within the CMS. The vulnerability was reported by Sho Odagiri of GMO Cybersecurity by Ierae, Inc. and is tracked as CVE-2026-32278. Users of Connect CMS are advised to update to versions 1.41.1 or 2.41.1 to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Connect CMS instance running a vulnerable version of the Form Plugin (\u0026lt;= 1.41.0 or \u0026lt;= 2.41.0).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing JavaScript code designed to execute harmful actions within an administrator's session.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the file upload field of the Form Plugin to inject the malicious payload. This may involve uploading a file with a specially crafted name or content designed to trigger the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eAn administrator accesses the Form Plugin interface or views the uploaded file, triggering the stored XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker's JavaScript payload executes within the administrator's browser session.\u003c/li\u003e\n\u003cli\u003eThe injected script steals the administrator's session cookie or other authentication tokens.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to authenticate to the Connect CMS as the administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability can have significant consequences for Connect CMS users. An attacker could gain complete control over the affected CMS instance, leading to website defacement, data breaches, and the installation of backdoors for persistent access. Because the XSS triggers in an administrator's browser, the attacker inherits administrative privileges, allowing them to perform any action an administrator can. This could affect a wide range of websites using Connect CMS, potentially impacting numerous organizations. The severity is high due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update Connect CMS to version 1.41.1 or 2.41.1 to patch the XSS vulnerability (CVE-2026-32278).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect Connect CMS XSS Attempt via HTTP Request\u0026quot; to identify potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable web server access logging to monitor for suspicious HTTP requests associated with XSS attacks, which is required for the Sigma rule to function.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-connect-cms-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in the file field of the Form Plugin in Connect CMS versions 1.x series \u003c= 1.41.0 and 2.x series \u003c= 2.41.0, allowing arbitrary script execution in an administrator's browser, potentially leading to unauthorized actions or information theft.","title":"Connect CMS Form Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-connect-cms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Form Plugin","version":"https://jsonfeed.org/version/1.1"}