VYPR

Packagist (Composer) package

october/backend

pkg:composer/october/backend

Vulnerabilities (7)

  • CVE-2021-21265Mar 10, 2021
    affected < 1.1.2fixed 1.1.2

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exi

  • CVE-2020-15249Nov 23, 2020
    affected >= 1.0.319, < 1.0.469fixed 1.0.469

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the upload

  • CVE-2020-15248Nov 23, 2020
    affected >= 1.0.319, < 1.0.470fixed 1.0.470

    October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which rol

  • CVE-2020-11083Jul 14, 2020
    affected >= 1.0.319, < 1.0.466fixed 1.0.466

    In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1

  • CVE-2020-4061Jul 2, 2020
    affected >= 1.0.319, < 1.0.467fixed 1.0.467

    In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.

  • CVE-2020-5299Jun 3, 2020
    affected >= 1.0.319, < 1.0.466fixed 1.0.466

    In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to

  • CVE-2020-5298Jun 3, 2020
    affected >= 1.0.319, < 1.0.466fixed 1.0.466

    In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which cou