GHSA-xwjr-6fj7-fc6h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xwjr-6fj7-fc6h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-xwjr-6fj7-fc6h/GHSA-xwjr-6fj7-fc6h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xwjr-6fj7-fc6h
- Aliases
- Published
- 2020-11-23T19:48:12Z
- Modified
- 2023-11-08T04:02:35.288204Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Local File Inclusion by unauthenticated users
- Details
-
Impact
An attacker can exploit this vulnerability to read local files on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request.
Patches
Issue has been patched in Build 469 (v1.0.469) and v1.1.0.
Workarounds
Apply https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 to your installation manually if unable to upgrade to Build 469.
References
Reported by ka1n4t
For more information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
Threat assessment:
<img width="1105" alt="Screen Shot 2020-10-10 at 1 05 19 PM" src="https://user-images.githubusercontent.com/7253840/95663086-4ffc4780-0af9-11eb-9bb6-fd40cf11c033.png">
- Database specific
{ "nvd_published_at": "2020-11-23T20:15:00Z", "github_reviewed_at": "2020-11-23T19:23:14Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-22", "CWE-863" ] }- References
Affected packages
Packagist / october/cms
Package
- Name
- october/cms
- Purl
- pkg:composer/october/cms
Affected versions
v1.*
v1.0.421
v1.0.422
v1.0.423
v1.0.424
v1.0.425
v1.0.426
v1.0.427
v1.0.428
v1.0.429
v1.0.430
v1.0.431
v1.0.432
v1.0.433
v1.0.434
v1.0.435
v1.0.436
v1.0.437
v1.0.438
v1.0.439
v1.0.440
v1.0.441
v1.0.442
v1.0.443
v1.0.444
v1.0.445
v1.0.446
v1.0.447
v1.0.448
v1.0.449
v1.0.450
v1.0.451
v1.0.452
v1.0.453
v1.0.454
v1.0.455
v1.0.456
v1.0.457
v1.0.458
v1.0.459
v1.0.460
v1.0.461
v1.0.462
v1.0.463
v1.0.464
v1.0.465
v1.0.466
v1.0.467
v1.0.468