CVE-2020-15246 — Incorrect Authorization in October

CWE-863 — Incorrect Authorization CWE-22 — Path Traversal3 documents3 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 21.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October CMS

Timeline

PublishedNov 23

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Packagistoctober/cms1.0.421 — 1.0.469

▶NVDoctobercms/october1.0.421 — 1.0.469

▶CVEListV5octobercms/october>= 1.0.421, < 1.0.469

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Local File Inclusion by unauthenticated users↗2020-11-23

▶

OSV

Local File Inclusion by unauthenticated users↗2020-11-23

▶