#VU38142 Arbitrary file upload in October CMS
Vulnerability identifier: #VU38142
Vulnerability risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-434
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
October CMS
Web applications /
CMS
Vendor: OctoberCMS
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
Mitigation
Install update from vendor's website.
Vulnerable software versions
October CMS: 1.0.412
External links
http://octobercms.com/support/article/rn-8
http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
