CVE-2020-15249 (GCVE-0-2020-15249)
Vulnerability from cvelistv5 – Published: 2020-11-23 19:50 – Updated: 2024-08-04 13:08
VLAI?
Title
Stored XSS by authenticated backend user with access to upload files
Summary
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0.
Severity ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octobercms | october |
Affected:
>= 1.0.319, < 1.0.469
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:23.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "october",
"vendor": "octobercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.319, \u003c 1.0.469"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-23T19:50:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
}
],
"source": {
"advisory": "GHSA-fx3v-553x-3c4q",
"discovery": "UNKNOWN"
},
"title": "Stored XSS by authenticated backend user with access to upload files",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15249",
"STATE": "PUBLIC",
"TITLE": "Stored XSS by authenticated backend user with access to upload files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "october",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.0.319, \u003c 1.0.469"
}
]
}
}
]
},
"vendor_name": "octobercms"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4",
"refsource": "MISC",
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
},
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q",
"refsource": "CONFIRM",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
}
]
},
"source": {
"advisory": "GHSA-fx3v-553x-3c4q",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15249",
"datePublished": "2020-11-23T19:50:14.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:23.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GSD-2020-15249
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-15249",
"description": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0.",
"id": "GSD-2020-15249"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-15249"
],
"details": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0.",
"id": "GSD-2020-15249",
"modified": "2023-12-13T01:21:43.223976Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15249",
"STATE": "PUBLIC",
"TITLE": "Stored XSS by authenticated backend user with access to upload files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "october",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.0.319, \u003c 1.0.469"
}
]
}
}
]
},
"vendor_name": "octobercms"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4",
"refsource": "MISC",
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
},
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q",
"refsource": "CONFIRM",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
}
]
},
"source": {
"advisory": "GHSA-fx3v-553x-3c4q",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.0.319,\u003c1.0.469",
"affected_versions": "All versions starting from 1.0.319 before 1.0.469",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2021-03-04",
"description": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0.",
"fixed_versions": [
"1.0.469"
],
"identifier": "CVE-2020-15249",
"identifiers": [
"GHSA-fx3v-553x-3c4q",
"CVE-2020-15249"
],
"not_impacted": "All versions before 1.0.319, all versions starting from 1.0.469",
"package_slug": "packagist/october/backend",
"pubdate": "2020-11-23",
"solution": "Upgrade to version 1.0.469 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q",
"https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15249",
"https://github.com/advisories/GHSA-fx3v-553x-3c4q"
],
"uuid": "e3fabe3c-4277-4dcc-b79b-ddf7ebd2fe6b"
},
{
"affected_range": "\u003e=1.0.319,\u003c1.0.469",
"affected_versions": "All versions starting from 1.0.319 before 1.0.469",
"cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2020-11-30",
"description": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (`i.e.` `/storage/app/media/evil.svg)`, but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed.",
"fixed_versions": [
"1.0.469"
],
"identifier": "CVE-2020-15249",
"identifiers": [
"CVE-2020-15249",
"GHSA-fx3v-553x-3c4q"
],
"not_impacted": "All versions before 1.0.319, all versions starting from 1.0.469",
"package_slug": "packagist/october/october",
"pubdate": "2020-11-23",
"solution": "Upgrade to version 1.0.469 or above.",
"title": "Cross-site Scripting",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-15249"
],
"uuid": "5978ae09-6588-4b94-9d69-4cb9bc5ffa96"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.0.469",
"versionStartIncluding": "1.0.319",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15249"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
},
{
"name": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2020-11-30T16:06Z",
"publishedDate": "2020-11-23T20:15Z"
}
}
}
FKIE_CVE-2020-15249
Vulnerability from fkie_nvd - Published: 2020-11-23 20:15 - Updated: 2024-11-21 05:05
Severity ?
2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| octobercms | october | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ABEFA590-9054-45DD-A177-D5EBEA49C5B7",
"versionEndExcluding": "1.0.469",
"versionStartIncluding": "1.0.319",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0."
},
{
"lang": "es",
"value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autohosteada basada en Laravel PHP Framework.\u0026#xa0;En October CMS desde la versi\u00f3n 1.0.319 y anterior a versi\u00f3n 1.0.469, a los usuarios de backend con acceso para cargar archivos se les permiti\u00f3 cargar archivos SVG sin ning\u00fan saneamiento aplicado a los archivos cargados.\u0026#xa0;Dado que los archivos SVG admiten ser analizados como HTML por los navegadores, esto significa que te\u00f3ricamente podr\u00edan cargar Javascript que se ejecutar\u00eda en una ruta bajo el dominio del sitio web (es decir, /storage/app/media/evil.svg), pero tendr\u00edan que convencer su objetivo para que visite esa ubicaci\u00f3n directamente en el navegador del objetivo, ya que el backend no muestra SVG en l\u00ednea en ning\u00fan lugar, los SVG solo se muestran como recursos de imagen en el backend y, por lo tanto, no se pueden ejecutar.\u0026#xa0;El problema se ha corregido en Build 469 (versi\u00f3n v1.0.469) y versi\u00f3n v1.1.0"
}
],
"id": "CVE-2020-15249",
"lastModified": "2024-11-21T05:05:11.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-23T20:15:12.557",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-FX3V-553X-3C4Q
Vulnerability from github – Published: 2020-11-23 19:47 – Updated: 2021-03-04 18:24
VLAI?
Summary
Stored XSS by authenticated backend user with access to upload files
Details
Impact
Backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed.
Patches
Issue has been patched in Build 469 (v1.0.469) & v1.1.0.
Workarounds
Apply https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 to your installation manually if unable to upgrade to Build 469 or v1.1.0.
References
Reported by Hoan Hoang
For more information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
Threat assessment:
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "october/backend"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.319"
},
{
"fixed": "1.0.469"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15249"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-11-23T19:47:07Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\nBackend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website\u0027s domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target\u0027s browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed.\n\n### Patches\nIssue has been patched in Build 469 (v1.0.469) \u0026 v1.1.0.\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 to your installation manually if unable to upgrade to Build 469 or v1.1.0.\n\n### References\nReported by [Hoan Hoang](https://github.com/hoanhp)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n\u003cimg width=\"1107\" alt=\"Screen Shot 2020-10-10 at 1 47 49 PM\" src=\"https://user-images.githubusercontent.com/7253840/95663787-378f2b80-0aff-11eb-8dfc-b97d162939da.png\"\u003e",
"id": "GHSA-fx3v-553x-3c4q",
"modified": "2021-03-04T18:24:54Z",
"published": "2020-11-23T19:47:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15249"
},
{
"type": "WEB",
"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Stored XSS by authenticated backend user with access to upload files"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…