4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
7.6 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.1%
October CMS is vulnerable to Template Injection. The vulnerability is caused by a crafted request which includes PHP code in the CMS template, where an authenticated backend user possessing the editor.cms_pages
, editor.cms_layouts
, or editor.cms_partials
can execute arbitrary PHP code even when the cms.safe_mode
us enabled. This issue can be exploited by an attacker via crafting a mailicious request resulting in execution of arbitrary PHP code.
CPE | Name | Operator | Version |
---|---|---|---|
october/october | le | v3.4.14 | |
october/october | le | v3.4.14 |
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
7.6 High
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
16.1%