CVE-2020-5297
LOWOctoberCMS 1.0.319-1.0.465 - Authenticated Arbitrary File Upload via Asset Manager
Title source: llmDescription
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg
Patch, Third Party Advisory x_refsource_misc
https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Aug/2
Scores
CVSS v3
3.4
EPSS
0.0118
EPSS Percentile
63.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N
Details
CWE
CWE-610
CWE-73
Status
published
Products (2)
october/cms
1.0.319 - 1.0.466Packagist
octobercms/october
1.0.319 - 1.0.466
Published
Jun 03, 2020
Tracked Since
Feb 18, 2026