Lucene search
Veracode Vulnerability DatabaseVERACODE:25592HistoryJun 04, 2020 - 3:25 a.m.
Arbitrary File Deletion
2020-06-0403:25:07
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
7
0.002 Low
EPSS
Percentile
54.9%
october/october is vulnerable to arbitrary file deletion. The vulnerability exists as the returned value of getFilePath does not validate the real path of the file, allowing an authenticated user with the cms.manage_assets permission to delete files outside the assets directory.
| CPE | Name | Operator | Version |
|---|---|---|---|
| october/october | le | 1.0.465 | |
| october/october | le | 1.0.465 |
References
packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
seclists.org/fulldisclosure/2020/Aug/2
github.com/advisories/GHSA-jv6v-fvvx-4932
github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932
Related
cvelist
cvelist
CVE-2020-5296 Arbitrary File Deletion vulnerability in OctoberCMS
2020-06-03 21:55:23
nvd
nvd
CVE-2020-5296
2020-06-03 22:15:11
cve
cve
CVE-2020-5296
2020-06-03 22:15:11
prion
prion
Code injection
2020-06-03 22:15:00
github
github
Arbitrary File Deletion vulnerability in OctoberCMS
2020-06-03 21:58:21
osv
osv
CVE-2020-5296
2020-06-03 22:15:11
Arbitrary File Deletion vulnerability in OctoberCMS
2020-06-03 21:58:21
zdt
zdt
packetstorm
packetstorm
October CMS Build 465 XSS / File Read / File Deletion / CSV Injection
2020-08-03 00:00:00