Multiple vulnerabilities in October CMS



Published: 2020-06-06 | Updated: 2022-07-14
Risk Medium
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2020-5295
CVE-2020-5299
CVE-2020-11083
CVE-2020-5297
CVE-2020-5298
CVE-2020-5296
CVE-2020-11022
CWE-ID CWE-98
CWE-94
CWE-79
CWE-73
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #7 is available.
Vulnerable software
Subscribe
October CMS
Web applications / CMS

Vendor OctoberCMS

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) PHP file inclusion

EUVDB-ID: #VU28765

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-5295

CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

Exploit availability: Yes

Description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
http://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) CSV Injection

EUVDB-ID: #VU28770

Risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5299

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject arbitrary data into SCV files.

The vulnerability exists due to improper input validation when generating SCV files in ImportExportController. A remote attacker can create specially crafted SCV files and trick the victim into exporting the file with malicious content.


Mitigation

Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a
http://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484
http://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU28769

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-11083

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the FormWidget. A remote authenticated user with access to the FormWidget (backend.allow_unsafe_markdown permission) can inject and  execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) External Control of File Name or Path

EUVDB-ID: #VU28768

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5297

CWE-ID: CWE-73 - External Control of File Name or Path

Exploit availability: No

Description

The vulnerability allows a remote user to upload files to arbitrary directory on the server.

The vulnerability exists due to application allows an attacker to control path of the uploaded files. A remote authenticated user with  cms.manage_assets permission can upload whitelisted files to any directory on the server.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
http://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cross-site scripting

EUVDB-ID: #VU28767

Risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5298

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when proessing CSV files. A remote attacker can trick the victim to follow upload a specially craftde CSV file and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
http://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) External Control of File Name or Path

EUVDB-ID: #VU28766

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5296

CWE-ID: CWE-73 - External Control of File Name or Path

Exploit availability: No

Description

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to application allows an attacker to control path of the files to delete. A remote authenticated user can send a specially crafted HTTP request and delete arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
http://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Cross-site scripting

EUVDB-ID: #VU27052

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-11022

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links

http://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###