CVE-2020-5299 — Command Injection in October

CWE-77 — Command Injection3 documents3 sources

Severity

5.1MEDIUMNVD

EPSS

0.7%

top 28.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October Backend

Timeline

PublishedJun 3

Description

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability in the victims spreadsheet software of choi…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:LExploitability: 1.0 | Impact: 3.7

Affected Packages3 packages

▶NVDoctobercms/october1.0.319 — 1.0.466

▶CVEListV5octobercms/october>= 1.0.319, < 1.0.466

▶Packagistoctober/backend1.0.319 — 1.0.466

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Potential CSV Injection vector in OctoberCMS↗2020-06-03

▶

OSV

Potential CSV Injection vector in OctoberCMS↗2020-06-03

▶