Packagist (Composer) package
october/backend
pkg:composer/october/backend
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21265 | — | < 1.1.2 | 1.1.2 | Mar 10, 2021 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exi | ||
| CVE-2020-15249 | — | >= 1.0.319, < 1.0.469 | 1.0.469 | Nov 23, 2020 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the upload | ||
| CVE-2020-15248 | — | >= 1.0.319, < 1.0.470 | 1.0.470 | Nov 23, 2020 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which rol | ||
| CVE-2020-11083 | — | >= 1.0.319, < 1.0.466 | 1.0.466 | Jul 14, 2020 | In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1 | ||
| CVE-2020-4061 | — | >= 1.0.319, < 1.0.467 | 1.0.467 | Jul 2, 2020 | In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467. | ||
| CVE-2020-5299 | — | >= 1.0.319, < 1.0.466 | 1.0.466 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to | ||
| CVE-2020-5298 | — | >= 1.0.319, < 1.0.466 | 1.0.466 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which cou |
- CVE-2021-21265Mar 10, 2021affected < 1.1.2fixed 1.1.2
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exi
- CVE-2020-15249Nov 23, 2020affected >= 1.0.319, < 1.0.469fixed 1.0.469
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the upload
- CVE-2020-15248Nov 23, 2020affected >= 1.0.319, < 1.0.470fixed 1.0.470
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which rol
- CVE-2020-11083Jul 14, 2020affected >= 1.0.319, < 1.0.466fixed 1.0.466
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1
- CVE-2020-4061Jul 2, 2020affected >= 1.0.319, < 1.0.467fixed 1.0.467
In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.
- CVE-2020-5299Jun 3, 2020affected >= 1.0.319, < 1.0.466fixed 1.0.466
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to
- CVE-2020-5298Jun 3, 2020affected >= 1.0.319, < 1.0.466fixed 1.0.466
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which cou