#VU28765 PHP file inclusion in October CMS
Vulnerability identifier: #VU28765
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-98
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
October CMS
Web applications /
CMS
Vendor: OctoberCMS
Description
The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files. A remote authenticated user with `cms.manage_assets` permission can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
October CMS: 1.0.319 - 1.0.465
External links
http://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
http://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
