Packagist (Composer) package
october/cms
pkg:composer/october/cms
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-43876 | — | <= 3.4.16 | — | Sep 28, 2023 | A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field. | ||
| CVE-2021-21264 | — | >= 1.0.471, < 1.0.472 | 1.0.472 | May 3, 2021 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in 1.0.470/471 and 1.1.1) was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the `cms.manage_ | ||
| CVE-2020-26231 | — | >= 1.0.469, < 1.0.470 | 1.0.470 | Nov 23, 2020 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layo | ||
| CVE-2020-15247 | — | >= 1.0.319, < 1.0.469 | 1.0.469 | Nov 23, 2020 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would n | ||
| CVE-2020-15246 | — | >= 1.0.421, < 1.0.469 | 1.0.469 | Nov 23, 2020 | October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build | ||
| CVE-2020-5296 | — | >= 1.0.319, < 1.0.466 | 1.0.466 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.man | ||
| CVE-2020-5297 | — | >= 1.0.319, < 1.0.466 | 1.0.466 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an O | ||
| CVE-2020-5295 | — | >= 1.0.319, < 1.0.466 | 1.0.466 | Jun 3, 2020 | In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` | ||
| CVE-2017-1000119 | Hig | 7.2 | <= 1.0.412 | — | Oct 5, 2017 | October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. |
- CVE-2023-43876Sep 28, 2023affected <= 3.4.16
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
- CVE-2021-21264May 3, 2021affected >= 1.0.471, < 1.0.472fixed 1.0.472
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in 1.0.470/471 and 1.1.1) was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the `cms.manage_
- CVE-2020-26231Nov 23, 2020affected >= 1.0.469, < 1.0.470fixed 1.0.470
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layo
- CVE-2020-15247Nov 23, 2020affected >= 1.0.319, < 1.0.469fixed 1.0.469
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would n
- CVE-2020-15246Nov 23, 2020affected >= 1.0.421, < 1.0.469fixed 1.0.469
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build
- CVE-2020-5296Jun 3, 2020affected >= 1.0.319, < 1.0.466fixed 1.0.466
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.man
- CVE-2020-5297Jun 3, 2020affected >= 1.0.319, < 1.0.466fixed 1.0.466
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an O
- CVE-2020-5295Jun 3, 2020affected >= 1.0.319, < 1.0.466fixed 1.0.466
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets`
- affected <= 1.0.412
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.