CVE-2017-1000119

HIGH

October CMS <build 412 - Code Injection

Title source: llm

Description

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotephp

https://www.exploit-db.com/exploits/47376

View Code ZIP pw:eip

github WORKING POC

by dugisan3rd · pythonpoc

https://github.com/dugisan3rd/exploit/tree/main/cve-2017-1000119

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Anti Räis · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/october_upload_bypass_exec.rb

View Code ZIP pw:eip

References (2)

[Vendor Advisory] http://octobercms.com/support/article/rn-8

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html

Scores

CVSS v3 7.2

EPSS 0.7623

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (2)

october/cms 0Packagist

octobercms/october 1.0.412

Published Oct 05, 2017

Tracked Since Feb 18, 2026