Lucene search

[email protected]CVE-2020-5296

HistoryJun 03, 2020 - 10:15 p.m.

CVE-2020-5296

2020-06-0322:15:11

CWE-610

CWE-73

[email protected]

web.nvd.nist.gov

octobercms

vulnerability

deletion

local files

nvd

cve-2020-5296

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6.2 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

4.9 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.9%

JSON

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

Affected configurations

Vulners

NVD

Node

octobercmsoctoberRange1.0.319–1.0.466

VendorProductVersionCPE
octobercmsoctober*cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octobercms	october	*	cpe:2.3:a:octobercms:october::::::::

CNA Affected

[
  {
    "product": "october",
    "vendor": "octobercms",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.0.319, < 1.0.466"
      }
    ]
  }
]