External Control of File Name or Path in October CMS

#VU28768 External Control of File Name or Path in October CMS

Published: 2020-06-06

Vulnerability identifier: #VU28768

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5297

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
October CMS
Web applications / CMS

Vendor: OctoberCMS

Description

The vulnerability allows a remote user to upload files to arbitrary directory on the server.

The vulnerability exists due to application allows an attacker to control path of the uploaded files. A remote authenticated user with cms.manage_assets permission can upload whitelisted files to any directory on the server.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.465

External links
http://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
http://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in October CMS