CVE-2020-15248

Published: Nov 23, 2020Modified: Nov 21, 2024

4.2

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Exploitability: 0.8 / Impact: 3.4

Source: NVD

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.

Affected (1)

Products: Octobercms: October

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Octobercms October	From 1.0.319 to 1.0.469

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw

Source: security-advisories@github.com

Third Party Advisory

https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.