Main Vulnerability Database Vulnerabilities #VU28765

#VU28765 PHP file inclusion in October CMS - CVE-2020-5295

Published: June 6, 2020 / Updated: June 17, 2021

Vulnerability identifier: #VU28765

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2020-5295

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install updates from vendor's website.

External links

https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f