External Control of File Name or Path in October CMS

#VU28766 External Control of File Name or Path in October CMS

Published: 2020-06-06 | Updated: 2020-06-06

Vulnerability identifier: #VU28766

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5296

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
October CMS
Web applications / CMS

Vendor: OctoberCMS

Description

The vulnerability allows a remote user to delete arbitrary files.

The vulnerability exists due to application allows an attacker to control path of the files to delete. A remote authenticated user can send a specially crafted HTTP request and delete arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links
http://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
http://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in October CMS