CVE-2020-15128

Reliance on Cookies without validation in OctoberCMS

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).

En OctoberCMS versiones anteriores a 1.0.468, los valores de cookies cifrados no estaban enlazados al nombre de la cookie a la que pertenecía el valor. Esto significaba que determinadas clases de ataques que toman ventaja a otras vulnerabilidades teóricas en el código de usuario (nada explotable en el proyecto central en sí) tenían una mayor oportunidad de éxito. Específicamente, si su uso expuso una forma para que los usuarios proporcionen información de usuario sin filtrar y que se la devuelva como una cookie cifrada (por ejemplo, almacenando una consulta de búsqueda proporcionada por el usuario en una cookie), podrían usar la cookie generada en lugar de otras cookies estrictamente controladas; o si su uso expuso la versión de texto plano de una cookie cifrada en algún momento al usuario, teóricamente podrían proporcionarle contenido cifrado de su aplicación como cookie cifrada y forzar al framework a descifrarla. El problema ha sido corregido en el build 468 (versión v1.0.468)

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-25 CVE Reserved
2020-07-31 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-565: Reliance on Cookies without Validation and Integrity Checking

CAPEC

References (3)

URL	Tag	Source
https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c	2022-04-25
https://github.com/octobercms/library/pull/508	2022-04-25

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Octobercms Search vendor "Octobercms"		October Search vendor "Octobercms" for product "October"				< 1.0.468 Search vendor "Octobercms" for product "October" and version " < 1.0.468"		-		Affected