Description
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/octobercms/october/security/advisories/GHSA-xwjr-6fj7-fc6h
Patch, Third Party Advisory x_refsource_misc
https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4
Scores
CVSS v3
7.5
EPSS
0.0109
EPSS Percentile
78.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
CWE-863
Status
published
Products (2)
october/cms
1.0.421 - 1.0.469Packagist
octobercms/october
1.0.421 - 1.0.469
Published
Nov 23, 2020
Tracked Since
Feb 18, 2026