What is CVE-2020-15246?

CVE-2020-15246 is a high-severity vulnerability in Octobercms October, classified under Incorrect Authorization. CVSS score: 7.5/10. Published 2020-11-23.

How severe is CVE-2020-15246?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2020-15246 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Octobercms October

CVE-2020-15246

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted…

Vulnerability class: Broken Access Control

EPSS: 0.011 (78.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Octobercms October — versions >= 1.0.421, < 1.0.469

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

Public proof-of-concept exploits

References

github.com/octobercms/october/security/advisories/GHSA-xwjr-6fj7-fc6h (x_refsource_CONFIRM)
github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-15246?: CVE-2020-15246 is a high-severity vulnerability in Octobercms October, classified under Incorrect Authorization. CVSS score: 7.5/10. Published 2020-11-23.
How severe is CVE-2020-15246?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2020-15246 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.