Impact
An attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets
permission.
Patches
Issue has been patched in Build 466 (v1.0.466).
Workarounds
Apply octobercms/october@2b8939c to your installation manually if unable to upgrade to Build 466.
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
Threat assessment:
### References
- https://github.com/octobercms/october/security/advisories/
GHSA-jv6v-fvvx-4932
- https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc
- https://nvd.nist.gov/vuln/detail/
CVE-2020-5296
- http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
- http://seclists.org/fulldisclosure/2020/Aug/2
Impact
An attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the
cms.manage_assets
permission.Patches
Issue has been patched in Build 466 (v1.0.466).
Workarounds
Apply octobercms/october@2b8939c to your installation manually if unable to upgrade to Build 466.
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
Threat assessment:
### References - https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932 - https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc - https://nvd.nist.gov/vuln/detail/CVE-2020-5296 - http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html - http://seclists.org/fulldisclosure/2020/Aug/2