CVE-2020-5299 – Potential CSV Injection vector in OctoberCMS
https://notcve.org/view.php?id=CVE-2020-5299
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability in the victims spreadsheet software of choice. 2. Control data that would potentially be exported through the `ImportExportController` by a theoretical victim. 3. Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software. • http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html http://seclists.org/fulldisclosure/2020/Aug/2 https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484 https://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2020-5296 – Arbitrary File Deletion vulnerability in OctoberCMS
https://notcve.org/view.php?id=CVE-2020-5296
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). En OctoberCMS (paquete de compositor october/october) versiones desde 1.0.319 y anteriores a 1.0.466, un atacante puede explotar esta vulnerabilidad para eliminar archivos locales arbitrarios de un servidor de October CMS. La vulnerabilidad solo es explotable por un usuario de backend autenticado con el permiso "cms.manage_assets". • http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html http://seclists.org/fulldisclosure/2020/Aug/2 https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932 • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVE-2020-5297 – Upload whitelisted files to any directory in OctoberCMS
https://notcve.org/view.php?id=CVE-2020-5297
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). En OctoberCMS (paquete de compositor october/october) versiones desde 1.0.319 y anteriores a 1.0.466, un atacante puede explotar esta vulnerabilidad para cargar archivos jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml hacia cualquier directorio de un servidor de October CMS. La vulnerabilidad solo es explotable por un usuario de backend autenticado con el permiso "cms.manage_assets". • http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html http://seclists.org/fulldisclosure/2020/Aug/2 https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8 https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg • CWE-73: External Control of File Name or Path CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVE-2020-5298 – Reflected XSS when importing CSV in OctoberCMS
https://notcve.org/view.php?id=CVE-2020-5298
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466). En OctoberCMS (paquete de compositor october/october) versiones desde 1.0.319 y anteriores a 1.0.466, un usuario con la habilidad de usar la funcionalidad import del comportamiento de la función "ImportExportController" puede ser ingeniería social por parte de un atacante para descargar un archivo CSV malicioso que podría resultar en un ataque de tipo XSS reflejado en el usuario en cuestión. El problema ha sido parcheado en el Build 466 (versión v1.0.466) October CMS builds 465 and below suffer from arbitrary file read, arbitrary file deletion, file uploading to arbitrary locations, persistent and reflective cross site scripting, and CSV injection vulnerabilities. • http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html http://seclists.org/fulldisclosure/2020/Aug/2 https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVE-2020-5295 – Local File read vulnerability in OctoberCMS
https://notcve.org/view.php?id=CVE-2020-5295
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466). En OctoberCMS (paquete de compositor october/october) versiones desde 1.0.319 y anteriores a 1.0.466, un atacante puede explotar esta vulnerabilidad para leer archivos locales de un servidor de October CMS. La vulnerabilidad solo es explotable por un usuario de backend autenticado con el permiso "cms.manage_assets". • https://www.exploit-db.com/exploits/49045 http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html http://seclists.org/fulldisclosure/2020/Aug/2 https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •