CVE-2020-5296 – october/cms

Package

Manager: composer
Name: october/cms
Vulnerable Version: >=1.0.319 <1.0.466

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01376 pctl0.79526

Details

Arbitrary File Deletion vulnerability in OctoberCMS ### Impact An attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. ### Patches Issue has been patched in Build 466 (v1.0.466). ### Workarounds Apply https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually if unable to upgrade to Build 466. ### References Reported by [Sivanesh Ashok](https://stazot.com/) ### For more information If you have any questions or comments about this advisory: * Email us at [hello@octobercms.com](mailto:hello@octobercms.com) ### Threat assessment: <img width="1241" alt="Screen Shot 2020-03-31 at 12 16 53 PM" src="https://user-images.githubusercontent.com/7253840/78060872-89354d00-7349-11ea-8c2b-5881b0a50736.png">

Metadata

Created: 2020-06-03T21:58:21Z
Modified: 2021-03-04T18:28:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-jv6v-fvvx-4932/GHSA-jv6v-fvvx-4932.json
CWE IDs: ["CWE-610", "CWE-73"]
Alternative ID: GHSA-jv6v-fvvx-4932
Finding: F098
Auto approve: 1