Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 7 |
CVE-ID | CVE-2020-5295 CVE-2020-5299 CVE-2020-11083 CVE-2020-5297 CVE-2020-5298 CVE-2020-5296 CVE-2020-11022 |
CWE-ID | CWE-98 CWE-94 CWE-79 CWE-73 |
Exploitation vector | Network |
Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #7 is available. |
Vulnerable software Subscribe |
October CMS Web applications / CMS |
Vendor | OctoberCMS |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
EUVDB-ID: #VU28765
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-5295
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
http://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU28770
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5299
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to inject arbitrary data into SCV files.
The vulnerability exists due to improper input validation when generating SCV files in ImportExportController
. A remote attacker can create specially crafted SCV files and trick the victim into exporting the file with malicious content.
Install updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a
http://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484
http://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU28769
Risk: Low
CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-11083
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the FormWidget. A remote authenticated user with access to the FormWidget (backend.allow_unsafe_markdown
permission) can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU28768
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5297
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows a remote user to upload files to arbitrary directory on the server.
The vulnerability exists due to application allows an attacker to control path of the uploaded files. A remote authenticated user with cms.manage_assets
permission can upload whitelisted files to any directory on the server.
Install updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
http://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU28767
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5298
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when proessing CSV files. A remote attacker can trick the victim to follow upload a specially craftde CSV file and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
http://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU28766
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-5296
CWE-ID:
CWE-73 - External Control of File Name or Path
Exploit availability: No
DescriptionThe vulnerability allows a remote user to delete arbitrary files.
The vulnerability exists due to application allows an attacker to control path of the files to delete. A remote authenticated user can send a specially crafted HTTP request and delete arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
http://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27052
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-11022
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: Yes
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append()
or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
October CMS: 1.0.319 - 1.0.465
External linkshttp://github.com/octobercms/october/security/advisories/GHSA-v73w-r9xg-7cr9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.