Vulnerability-Lookup

CVE-2020-15128 (GCVE-0-2020-15128)

Vulnerability from cvelistv5 – Published: 2020-07-31 17:45 – Updated: 2024-08-04 13:08

Title

Reliance on Cookies without validation in OctoberCMS

Summary

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).

Severity ?

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

CWE

CWE-565 - {"CWE-565":"Reliance on Cookies without Validation and Integrity Checking"}

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	octobercms	october	Affected: < 1.0.468

GSD-2020-15128

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-15128

Aliases

CVE-2020-15128

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-15128",
    "description": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).",
    "id": "GSD-2020-15128"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-15128"
      ],
      "details": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).",
      "id": "GSD-2020-15128",
      "modified": "2023-12-13T01:21:43.980812Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-15128",
        "STATE": "PUBLIC",
        "TITLE": "Reliance on Cookies without validation in OctoberCMS"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "october",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.0.468"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "octobercms"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468)."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "{\"CWE-565\":\"Reliance on Cookies without Validation and Integrity Checking\"}"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63",
            "refsource": "CONFIRM",
            "url": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"
          },
          {
            "name": "https://github.com/octobercms/library/pull/508",
            "refsource": "MISC",
            "url": "https://github.com/octobercms/library/pull/508"
          },
          {
            "name": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c",
            "refsource": "MISC",
            "url": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-55mm-5399-7r63",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.0.468",
          "affected_versions": "All versions before 1.0.468",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-565",
            "CWE-937"
          ],
          "date": "2020-08-03",
          "description": "In OctoberCMS, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them.",
          "fixed_versions": [
            "1.0.468"
          ],
          "identifier": "CVE-2020-15128",
          "identifiers": [
            "CVE-2020-15128",
            "GHSA-55mm-5399-7r63"
          ],
          "not_impacted": "All versions starting from 1.0.468",
          "package_slug": "packagist/october/october",
          "pubdate": "2020-07-31",
          "solution": "Upgrade to version 1.0.468 or above.",
          "title": "Reliance on Cookies without Validation and Integrity Checking",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15128"
          ],
          "uuid": "60f1857d-8e67-40e1-9a31-303170bb35ba"
        },
        {
          "affected_range": "\u003e=1.0.319,\u003c1.0.468",
          "affected_versions": "All versions starting from 1.0.319 before 1.0.468",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-565",
            "CWE-937"
          ],
          "date": "2021-03-04",
          "description": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).",
          "fixed_versions": [
            "1.0.468"
          ],
          "identifier": "CVE-2020-15128",
          "identifiers": [
            "GHSA-55mm-5399-7r63",
            "CVE-2020-15128"
          ],
          "not_impacted": "All versions before 1.0.319, all versions starting from 1.0.468",
          "package_slug": "packagist/october/rain",
          "pubdate": "2020-08-05",
          "solution": "Upgrade to version 1.0.468 or above.",
          "title": "Reliance on Cookies without Validation and Integrity Checking",
          "urls": [
            "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63",
            "https://github.com/octobercms/library/pull/508",
            "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15128",
            "https://github.com/advisories/GHSA-55mm-5399-7r63"
          ],
          "uuid": "baf805a1-ba88-46ec-8958-ace83e30301c"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.468",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15128"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468)."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-327"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/octobercms/library/pull/508",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/octobercms/library/pull/508"
            },
            {
              "name": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"
            },
            {
              "name": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 4.0
        }
      },
      "lastModifiedDate": "2022-04-25T17:41Z",
      "publishedDate": "2020-07-31T18:15Z"
    }
  }
}

FKIE_CVE-2020-15128

Vulnerability from fkie_nvd - Published: 2020-07-31 18:15 - Updated: 2024-11-21 05:04

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/octobercms/library/pull/508	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/octobercms/library/pull/508	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63	Third Party Advisory

Impacted products

	Vendor	Product	Version
	octobercms	october	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63415731-A650-4848-8402-76F1E60C608C",
              "versionEndExcluding": "1.0.468",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468)."
    },
    {
      "lang": "es",
      "value": "En OctoberCMS versiones anteriores a 1.0.468, los valores de cookies cifrados no estaban enlazados al nombre de la cookie a la que pertenec\u00eda el valor. Esto significaba que determinadas clases de ataques que toman ventaja a otras vulnerabilidades te\u00f3ricas en el c\u00f3digo de usuario (nada explotable en el proyecto central en s\u00ed) ten\u00edan una mayor oportunidad de \u00e9xito. Espec\u00edficamente, si su uso expuso una forma para que los usuarios proporcionen informaci\u00f3n de usuario sin filtrar y que se la devuelva como una cookie cifrada (por ejemplo, almacenando una consulta de b\u00fasqueda proporcionada por el usuario en una cookie), podr\u00edan usar la cookie generada en lugar de otras cookies estrictamente controladas; o si su uso expuso la versi\u00f3n de texto plano de una cookie cifrada en alg\u00fan momento al usuario, te\u00f3ricamente podr\u00edan proporcionarle contenido cifrado de su aplicaci\u00f3n como cookie cifrada y forzar al framework a descifrarla. El problema ha sido corregido en el build 468 (versi\u00f3n v1.0.468)"
    }
  ],
  "id": "CVE-2020-15128",
  "lastModified": "2024-11-21T05:04:54.157",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-31T18:15:14.350",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/octobercms/library/pull/508"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/octobercms/library/pull/508"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-565"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2020-44628

Vulnerability from cnvd - Published: 2020-08-06

Title

October CMS信息泄露漏洞

Description

October CMS是一套基于PHP和Laravel Web应用程序框架的开源内容管理系统（CMS）。 October CMS 1.0.468之前版本中存在信息泄露漏洞，该漏洞源于程序没有将加密的cookie值绑定到该值的cookie名上。攻击者可利用该漏洞获取敏感信息。

Severity

低

Patch Name

October CMS信息泄露漏洞的补丁

Patch Description

October CMS是一套基于PHP和Laravel Web应用程序框架的开源内容管理系统（CMS）。 October CMS 1.0.468之前版本中存在信息泄露漏洞，该漏洞源于程序没有将加密的cookie值绑定到该值的cookie名上。攻击者可利用该漏洞获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63

Reference

https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c

Impacted products

Name
October CMS October CMS <1.0.468

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15128",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15128"
    }
  },
  "description": "October CMS\u662f\u4e00\u5957\u57fa\u4e8ePHP\u548cLaravel Web\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\u7684\u5f00\u6e90\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\n\nOctober CMS 1.0.468\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u5c06\u52a0\u5bc6\u7684cookie\u503c\u7ed1\u5b9a\u5230\u8be5\u503c\u7684cookie\u540d\u4e0a\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-44628",
  "openTime": "2020-08-06",
  "patchDescription": "October CMS\u662f\u4e00\u5957\u57fa\u4e8ePHP\u548cLaravel Web\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\u7684\u5f00\u6e90\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09\u3002\r\n\r\nOctober CMS 1.0.468\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u5c06\u52a0\u5bc6\u7684cookie\u503c\u7ed1\u5b9a\u5230\u8be5\u503c\u7684cookie\u540d\u4e0a\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "October CMS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "October CMS October CMS \u003c1.0.468"
  },
  "referenceLink": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c",
  "serverity": "\u4f4e",
  "submitTime": "2020-08-03",
  "title": "October CMS\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

GHSA-55MM-5399-7R63

Vulnerability from github – Published: 2020-08-05 14:52 – Updated: 2021-03-04 18:25

Summary

Reliance on Cookies without validation in OctoberCMS

Details

Impact

Previously encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding.

Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them.

Patches

Issue has been patched in Build 468 (v1.0.468).

NOTE: If you are using the cookie session driver, all of your session data will be invalidated. All other session drivers should smoothly upgrade to the changes (although the backend authentication persist cookie will also be invalidated requiring users to login again once their current session expires).

Workarounds

Apply https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c to your installation manually if unable to upgrade to Build 468.

References

https://blog.laravel.com/laravel-cookie-security-releases
https://github.com/laravel/framework/compare/4c7d118181d6c7f1f883643702df807ced016c5e...a731824421f9ebc586728ea9c7cff231a249aaa9

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat Assessment

Assessed as Low given that it is not directly exploitable within the core but requires other security vulnerabilities within the application to have an effect and the severity of its effect depends entirely on the severity of those other holes in the application's defences.

Acknowledgements

Thanks to Takashi Terada of Mitsui Bussan Secure Directions, Inc. for finding the original issue in Laravel and @taylorotwell for sharing the report with the October CMS team.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.319"
            },
            {
              "fixed": "1.0.468"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-565"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-31T17:44:58Z",
    "nvd_published_at": "2020-07-31T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPreviously encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. \n\nSpecifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. \n\n### Patches\nIssue has been patched in Build 468 (v1.0.468).\n\n\u003e**NOTE**: If you are using the cookie session driver, all of your session data will be invalidated. All other session drivers should smoothly upgrade to the changes (although the backend authentication persist cookie will also be invalidated requiring users to login again once their current session expires).\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c to your installation manually if unable to upgrade to Build 468.\n\n### References\n- https://blog.laravel.com/laravel-cookie-security-releases\n- https://github.com/laravel/framework/compare/4c7d118181d6c7f1f883643702df807ced016c5e...a731824421f9ebc586728ea9c7cff231a249aaa9\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\nAssessed as Low given that it is not directly exploitable within the core but requires other security vulnerabilities within the application to have an effect and the severity of its effect depends entirely on the severity of those other holes in the application\u0027s defences.\n\n### Acknowledgements\n\nThanks to [Takashi Terada of Mitsui Bussan Secure Directions, Inc.](https://www.linkedin.com/in/takeshi-terada-b570a6100/) for finding the original issue in Laravel and @taylorotwell for sharing the report with the October CMS team.",
  "id": "GHSA-55mm-5399-7r63",
  "modified": "2021-03-04T18:25:42Z",
  "published": "2020-08-05T14:52:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/pull/508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reliance on Cookies without validation in OctoberCMS"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-15128 (GCVE-0-2020-15128)

GSD-2020-15128

FKIE_CVE-2020-15128

CNVD-2020-44628

GHSA-55MM-5399-7R63

Impact

Patches

Workarounds

References

For more information

Threat Assessment

Acknowledgements

Tags

Sightings

Nomenclature