CVE-2020-15246

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.

Published: Nov 23, 2020
Updated: May 9, 2024
CVE: CVE-2020-15246
GHSA: GHSA-xwjr-6fj7-fc6h
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-863
CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
octobercms / october	1.0.421	1.0.469
october / cms	1.0.421	1.0.469

https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4
https://github.com/octobercms/october/security/advisories/GHSA-xwjr-6fj7-fc6h

Vulnerability Database

CVE-2020-15246