Lucene search

[email protected]CVE-2020-5297

HistoryJun 03, 2020 - 10:15 p.m.

CVE-2020-5297

2020-06-0322:15:11

CWE-610

CWE-73

[email protected]

web.nvd.nist.gov

cve-2020-5297

octobercms

file upload

authenticated user

vulnerability

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

3.6 Low

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.9%

JSON

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

Affected configurations

Vulners

NVD

Node

octobercmsoctoberRange1.0.319–1.0.466

VendorProductVersionCPE
octobercmsoctober*cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octobercms	october	*	cpe:2.3:a:octobercms:october::::::::

CNA Affected

[
  {
    "product": "october",
    "vendor": "octobercms",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.0.319, < 1.0.466"
      }
    ]
  }
]