Connect CMS, SSRF, (Moderate)

Listen to this Post

How the CVE Works

The vulnerability resides in the External Page Migration feature of the Page Management Plugin.
This feature allows users with page‑management privileges to import page data from a remote URL.
The application accepts a user‑supplied URL and performs an HTTP request to fetch the external content.
Due to insufficient validation of the provided URL, an attacker can supply internal addresses (e.g., `http://169.254.169.254/latest/meta-data/`, `http://127.0.0.1:8080/admin`, etc.).
The server then makes the request on behalf of the attacker, effectively bypassing network restrictions.
If the internal target returns sensitive information (cloud metadata, internal API responses, etc.), that data is disclosed to the attacker.
The attack requires that the user already has privileges to access the page management screen (authenticated, with appropriate roles).
No additional authentication is required to perform the malicious request once the privileged user is logged in.
The flaw is triggered when the “migrate” action is invoked with a crafted URL parameter.
Because the request originates from the server’s trusted context, internal firewalls or IP‑based restrictions are circumvented.
The impact is limited to information disclosure; remote code execution is not achieved directly.
Affected versions are Connect CMS 1.x up to 1.41.0 and 2.x from 2.0.0 through 2.41.0.
Patches were released as versions 1.41.1 and 2.41.1, which add strict URL validation (allow‑listing allowed domains or rejecting internal IP ranges).
The vulnerability was reported by Sho Odagiri of GMO Cybersecurity by Ierae, Inc.

dailycve form

Platform: Connect CMS
Version: ≤1.41.0, 2.0.0–2.41.0
Vulnerability: SSRF
Severity: Moderate
date: 2026‑03‑23

Prediction: Already patched

What Undercode Say:

Test for internal metadata endpoint
curl -X POST -H "Cookie: session=..." \
"https://target/plugin/page-management/migrate" \
-d "external_url=http://169.254.169.254/latest/meta-data/"
Detect reachable internal ports
for port in 22 80 443 8080; do
curl -s -o /dev/null -w "%{http_code}" \
"https://target/plugin/page-management/migrate?url=http://127.0.0.1:$port"
done

How Exploit:

Authenticated user with page‑management access navigates to the external migration form.
A malicious URL pointing to an internal resource (e.g., http://10.0.0.1/admin` orhttp://localhost:9200`) is submitted.
The server fetches the resource and returns the response (or an error containing partial data) to the attacker.

Protection from this CVE

Update to Connect CMS 1.41.1 or 2.41.1 immediately.

If patching is delayed, restrict network access from the CMS server to internal IP ranges via firewall rules.
Implement an allow‑list of permitted external domains for migration features.
Enforce strict input validation on the URL parameter, rejecting private IP addresses and non‑HTTP/HTTPS schemes.

Impact

Information disclosure: attacker can read internal cloud metadata, internal API responses, and possibly probe internal network topology.
No direct remote code execution, but exposed internal secrets may lead to further compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top