SB2020112201 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 2 vulnerabilities.

1) PHP file inclusion (CVE-ID: CVE-2020-15246)

CWE-ID: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote non-authenticated attacker can send a specially crafted HTTP request to the affected application and include arbitrary local PHP files from the server.

Successful exploitation of the vulnerability may result in system and application compromise.

2) Stored cross-site scripting (CVE-ID: CVE-2020-15249)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the application allows uploading of SVG files. A remote user can upload an SVG file with HTML code inside and execute it in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-xwjr-6fj7-fc6h/
• https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q/