SB2020060608 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) PHP file inclusion (CVE-ID: CVE-2020-5295)

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

2) CSV Injection (CVE-ID: CVE-2020-5299)

The vulnerability allows a remote attacker to inject arbitrary data into SCV files.

The vulnerability exists due to improper input validation when generating SCV files in ImportExportController. A remote attacker can create specially crafted SCV files and trick the victim into exporting the file with malicious content.

3) Cross-site scripting (CVE-ID: CVE-2020-11083)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the FormWidget. A remote authenticated user with access to the FormWidget (backend.allow_unsafe_markdown permission) can inject and  execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) External Control of File Name or Path (CVE-ID: CVE-2020-5297)

The vulnerability allows a remote user to upload files to arbitrary directory on the server.

The vulnerability exists due to application allows an attacker to control path of the uploaded files. A remote authenticated user with  cms.manage_assets permission can upload whitelisted files to any directory on the server.

5) Cross-site scripting (CVE-ID: CVE-2020-5298)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when proessing CSV files. A remote attacker can trick the victim to follow upload a specially craftde CSV file and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) External Control of File Name or Path (CVE-ID: CVE-2020-5296)

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to application allows an attacker to control path of the files to delete. A remote authenticated user can send a specially crafted HTTP request and delete arbitrary files on the system.

7) Cross-site scripting (CVE-ID: CVE-2020-11022)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
• https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f
• https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a
• https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484
• https://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q
• https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv
• https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
• https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg
• https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
• https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c
• https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932
• https://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9