Main Vulnerability Database Exploits ID:5649 - Exploit for PHP file inclusion in October CMS - CVE-2020-5295

ID:5649 - Exploit for PHP file inclusion in October CMS - CVE-2020-5295

Published: June 17, 2021

Vulnerability identifier: #VU28765

Vulnerability risk: Medium

CVE-ID: CVE-2020-5295

CWE-ID: CWE-98

Exploitation vector: Remote access

Vulnerable software:
October CMS

Link to public exploit:

https://www.exploit-db.com/exploits/49045/

Vulnerability description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install updates from vendor's website.

ID:5649 - Exploit for PHP file inclusion in October CMS - CVE-2020-5295

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human