CVE-2020-5297 LOW

CVE-2020-5297: Upload whitelisted files to any directory in OctoberCMS

Vendor Octobercms
Product october
Weakness CWE-73
Published June 3, 2020
Last update August 4, 2024

CVSS base score

3.4/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).

Key dates

02Disclosure timeline

June 3, 2020 CVE published
August 4, 2024 Record updated