Lucene search
Veracode Vulnerability DatabaseVERACODE:25608HistoryJun 04, 2020 - 7:43 a.m.
Unrestricted File Upload
2020-06-0407:43:32
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
10
0.002 Low
EPSS
Percentile
54.9%
OctoberCMS is vulnerable to Unrestricted File Upload. It does not trim and validate the path destinationFullPath, allowing an authenticated backend user with the cms.manage_assets permission to upload files such as jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml to any directory of an October CMS server.
| CPE | Name | Operator | Version |
|---|---|---|---|
| october/october | le | 1.0.465 | |
| october/october | le | 1.0.465 |
References
packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
seclists.org/fulldisclosure/2020/Aug/2
github.com/advisories/GHSA-9722-rr68-rfpg
github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg
Related
cve
cve
CVE-2020-5297
2020-06-03 22:15:11
prion
prion
Design/Logic Flaw
2020-06-03 22:15:00
osv
osv
Upload whitelisted files to any directory in OctoberCMS
2020-06-03 21:58:27
CVE-2020-5297
2020-06-03 22:15:11
cvelist
cvelist
CVE-2020-5297 Upload whitelisted files to any directory in OctoberCMS
2020-06-03 21:55:18
nvd
nvd
CVE-2020-5297
2020-06-03 22:15:11
github
github
Upload whitelisted files to any directory in OctoberCMS
2020-06-03 21:58:27
zdt
zdt
packetstorm
packetstorm
October CMS Build 465 XSS / File Read / File Deletion / CSV Injection
2020-08-03 00:00:00