CVE-2020-5295

Опубликовано: 03 июн. 2020

Источник: nvd

CVSS3: 4.8

CVSS3: 4.9

CVSS2: 4

EPSS Средний

Описание

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has been patched in Build 466 (v1.0.466).

Ссылки

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Aug/2
Exploit
Mailing List
Third Party Advisory
https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
Patch
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f
Patch
Third Party Advisory
http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
Exploit
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2020/Aug/2
Exploit
Mailing List
Third Party Advisory
https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
Patch
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

Версия от 1.0.319 (включая) до 1.0.466 (исключая)

EPSS

Процентиль: 93%

0.10667

Средний

4.8 Medium

CVSS3

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-98

CWE-829

Связанные уязвимости

GHSA-r23f-c2j5-rx2f

CVSS3: 4.8

github

больше 5 лет назад

Local File read vulnerability in OctoberCMS

EPSS

Процентиль: 93%

0.10667

Средний

4.8 Medium

CVSS3

4.9 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-98

CWE-829