What is CVE-2020-5296?

CVE-2020-5296 is a medium-severity vulnerability in Octobercms October, classified under External Control of File Name or Path. CVSS score: 6.2/10. Published 2020-06-03.

How severe is CVE-2020-5296?

Medium severity. CVSS v3 base score is 6.2 out of 10.

Vulnerability in Octobercms October

CVE-2020-5296

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an aut…

EPSS: 0.006 (70.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.2 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N.

Affected products

Octobercms October — versions >= 1.0.319, < 1.0.466

Weakness classification (CWE)

CWE-73 — External Control of File Name or Path

References

github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc (x_refsource_MISC)
github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932 (x_refsource_CONFIRM)
packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-D… (x_refsource_MISC)
20200804 October CMS <= Build 465 Multiple Vulnerabilities - Arbitrary File Read (mailing-list, x_refsource_FULLDISC)

Frequently asked questions

What is CVE-2020-5296?: CVE-2020-5296 is a medium-severity vulnerability in Octobercms October, classified under External Control of File Name or Path. CVSS score: 6.2/10. Published 2020-06-03.
How severe is CVE-2020-5296?: Medium severity. CVSS v3 base score is 6.2 out of 10.