Plataforma
php
Componente
october/backend
Corrigido em
1.0.320
1.0.469
CVE-2020-15249 describes a cross-site scripting (XSS) vulnerability within the October CMS backend file upload functionality. This flaw allows authenticated backend users to upload SVG files without proper sanitization, potentially enabling malicious JavaScript execution. The vulnerability impacts versions of October CMS up to and including v1.0.468, and a fix is available in version 1.0.469.
An attacker exploiting this vulnerability could upload a specially crafted SVG file containing malicious JavaScript code. While the backend doesn't display SVGs inline, if a user directly navigates to the uploaded SVG file's URL (e.g., /storage/app/media/evil.svg), the JavaScript would execute within their browser context. This could lead to session hijacking, credential theft, or defacement of the website. The impact is limited by the requirement for the user to directly access the file, preventing automatic exploitation through backend processes. The potential for data exfiltration and user compromise makes this a concerning vulnerability, particularly in environments with sensitive data or privileged user accounts.
This vulnerability was publicly disclosed on November 23, 2020. There is no indication of active exploitation campaigns targeting this specific CVE. No public proof-of-concept (PoC) code has been widely distributed, but the vulnerability's nature makes it relatively straightforward to exploit. It is not currently listed on the CISA KEV catalog.
Organizations using October CMS versions prior to 1.0.469, particularly those with backend users who have file upload privileges, are at risk. Shared hosting environments where users have independent file upload capabilities are also particularly vulnerable.
• linux / server:
find /var/www/october/storage/app/media -name '*.svg' -print0 | xargs -0 grep -i '<script' • generic web:
curl -I https://your-october-cms-site.com/storage/app/media/evil.svg | grep Content-Type• generic web:
Check web server access logs for requests to files under /storage/app/media with unusual user agents or referring URLs.
disclosure
Status do Exploit
EPSS
0.17% (percentil 38%)
Vetor CVSS
The primary mitigation for CVE-2020-15249 is to upgrade October CMS to version 1.0.469 or later, which includes the necessary sanitization fixes. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting direct access to the /storage/app/media directory through your web server configuration (e.g., using .htaccess or Nginx rules). Additionally, implement strict input validation and sanitization for all file uploads to prevent similar vulnerabilities in the future. After upgrading, confirm the fix by attempting to upload a test SVG file containing a simple JavaScript alert and verifying that it is properly sanitized and does not execute.
Actualice October CMS a la versión 1.0.469 o superior. Esta versión corrige la vulnerabilidad de XSS almacenado al aplicar sanitización a los archivos SVG subidos. Alternativamente, actualice a la versión 1.1.0.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-15249 is a cross-site scripting (XSS) vulnerability in October CMS that allows attackers to upload malicious SVG files.
You are affected if you are using October CMS versions 1.0.468 or earlier. Upgrade to 1.0.469 or later to resolve the issue.
Upgrade October CMS to version 1.0.469 or later. As a temporary workaround, restrict direct access to the /storage/app/media directory.
There is no current evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the official October CMS security advisory: https://octobercms.com/support/security
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.