Main Vulnerability Database Vulnerabilities #VU32948

#VU32948 Improper Authorization in October CMS - CVE-2020-15128

Published: July 31, 2020

Vulnerability identifier: #VU32948

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-15128

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application does not tie encrypted cookie value to cookie name. If the attacker is able to obtain encrypted cookies, it is possible to decrypt that information by supplying the encrypted cookie to the application and letting the application to decrypt it.

Remediation

Install updates from vendor's website.

External links

https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63/

#VU32948 Improper Authorization in October CMS - CVE-2020-15128

Description

Remediation

External links

Please verify you're human