CVE-2020-15248 MEDIUM

CVE-2020-15248: Privilege escalation by backend users assigned to the default "Publisher" system role

Vendor Octobercms

Product october

Weakness CWE-863 · Incorrect authorization

Published November 23, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

4.0/10

Attack vector Local

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.

Key dates

02Disclosure timeline

November 23, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-15248

Related vulnerabilities

CVE-2020-15248: Privilege escalation by backend users assigned to the default "Publisher" system role

01Description

02Disclosure timeline

03References

04Related CVE