CVE-2020-5295 MEDIUM

CVE-2020-5295: Local File read vulnerability in OctoberCMS

Vendor Octobercms

Product october

Weakness CWE-98 · PHP file inclusion

Published June 3, 2020

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).

Key dates

02Disclosure timeline

June 3, 2020 CVE published

August 4, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-5295

Related vulnerabilities

04Related CVE

CVE-2024-4670 All-in-One Video Gallery <= 3.6.5 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode CVE-2025-49383 WordPress Neresa Theme <= 1.3 - Local File Inclusion Vulnerability CVE-2026-24609 WordPress Laurent theme <= 3.1 - Local File Inclusion vulnerability CVE-2026-32393 WordPress Greenly Theme Addons plugin < 8.2 - Local File Inclusion vulnerability CVE-2025-58935 WordPress Lunna theme <= 1.15 - Local File Inclusion vulnerability