SB2020060608 - Multiple vulnerabilities in October CMS
Published: June 6, 2020 Updated: July 14, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) PHP file inclusion (CVE-ID: CVE-2020-5295)
CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
2) CSV Injection (CVE-ID: CVE-2020-5299)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to inject arbitrary data into SCV files.
The vulnerability exists due to improper input validation when generating SCV files in ImportExportController. A remote attacker can create specially crafted SCV files and trick the victim into exporting the file with malicious content.
3) Cross-site scripting (CVE-ID: CVE-2020-11083)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the FormWidget. A remote authenticated user with access to the FormWidget (backend.allow_unsafe_markdown permission) can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) External Control of File Name or Path (CVE-ID: CVE-2020-5297)
CWE-ID: CWE-73 - External Control of File Name or Path
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to upload files to arbitrary directory on the server.
The vulnerability exists due to application allows an attacker to control path of the uploaded files. A remote authenticated user with cms.manage_assets permission can upload whitelisted files to any directory on the server.
5) Cross-site scripting (CVE-ID: CVE-2020-5298)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when proessing CSV files. A remote attacker can trick the victim to follow upload a specially craftde CSV file and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) External Control of File Name or Path (CVE-ID: CVE-2020-5296)
CWE-ID: CWE-73 - External Control of File Name or Path
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete arbitrary files.
The vulnerability exists due to application allows an attacker to control path of the files to delete. A remote authenticated user can send a specially crafted HTTP request and delete arbitrary files on the system.
7) Cross-site scripting (CVE-ID: CVE-2020-11022)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
- https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f
- https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a
- https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484
- https://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q
- https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv
- https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
- https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg
- https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
- https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c
- https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932
- https://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9