4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
0.002 Low
EPSS
Percentile
54.9%
An attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets
permission.
Issue has been patched in Build 466 (v1.0.466).
Apply https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8 to your installation manually if unable to upgrade to Build 466.
Reported by Sivanesh Ashok
If you have any questions or comments about this advisory:
<img width=“1241” alt=“Screen Shot 2020-03-31 at 12 21 10 PM” src=“https://user-images.githubusercontent.com/7253840/78061230-255f5400-734a-11ea-92b4-1120f6960505.png”>
CPE | Name | Operator | Version |
---|---|---|---|
october/cms | lt | 1.0.466 |
packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
seclists.org/fulldisclosure/2020/Aug/2
github.com/advisories/GHSA-9722-rr68-rfpg
github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg
nvd.nist.gov/vuln/detail/CVE-2020-5297
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
0.002 Low
EPSS
Percentile
54.9%