CVE-2020-5296 MEDIUM

CVE-2020-5296: Arbitrary File Deletion vulnerability in OctoberCMS

Vendor Octobercms
Product october
Weakness CWE-73
Published June 3, 2020
Last update August 4, 2024

CVSS base score

6.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).

Key dates

02Disclosure timeline

June 3, 2020 CVE published
August 4, 2024 Record updated