CVE-2018-1999009

HIGH

October CMS < 1.0.437 - Local File Inclusion and Remote Code Execution via ViewMaker.php

Title source: llm
STIX 2.1

Description

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend path is accessible. This vulnerability appears to have been fixed in Build 437.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
http://octobercms.com/support/article/rn-10

Scores

CVSS v3 8.1
EPSS 0.0239
EPSS Percentile 81.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (2)
october/october 0 - 1.0.437Packagist
octobercms/october
Published Jul 23, 2018
Tracked Since Feb 18, 2026