Vulnerability Details CVE-2020-15128
In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 3.5
References
- https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c
- https://github.com/octobercms/library/pull/508
- https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63
- https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c
- https://github.com/octobercms/library/pull/508
- https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63
Products affected by CVE-2020-15128
-
cpe:2.3:a:octobercms:october:-
-
cpe:2.3:a:octobercms:october:1.0.100
-
cpe:2.3:a:octobercms:october:1.0.101
-
cpe:2.3:a:octobercms:october:1.0.102
-
cpe:2.3:a:octobercms:october:1.0.103
-
cpe:2.3:a:octobercms:october:1.0.104
-
cpe:2.3:a:octobercms:october:1.0.105
-
cpe:2.3:a:octobercms:october:1.0.106
-
cpe:2.3:a:octobercms:october:1.0.107
-
cpe:2.3:a:octobercms:october:1.0.108
-
cpe:2.3:a:octobercms:october:1.0.109
-
cpe:2.3:a:octobercms:october:1.0.110
-
cpe:2.3:a:octobercms:october:1.0.111
-
cpe:2.3:a:octobercms:october:1.0.112
-
cpe:2.3:a:octobercms:october:1.0.113
-
cpe:2.3:a:octobercms:october:1.0.114
-
cpe:2.3:a:octobercms:october:1.0.115
-
cpe:2.3:a:octobercms:october:1.0.116
-
cpe:2.3:a:octobercms:october:1.0.117
-
cpe:2.3:a:octobercms:october:1.0.118
-
cpe:2.3:a:octobercms:october:1.0.119
-
cpe:2.3:a:octobercms:october:1.0.120
-
cpe:2.3:a:octobercms:october:1.0.121
-
cpe:2.3:a:octobercms:october:1.0.122
-
cpe:2.3:a:octobercms:october:1.0.123
-
cpe:2.3:a:octobercms:october:1.0.124
-
cpe:2.3:a:octobercms:october:1.0.125
-
cpe:2.3:a:octobercms:october:1.0.126
-
cpe:2.3:a:octobercms:october:1.0.127
-
cpe:2.3:a:octobercms:october:1.0.128
-
cpe:2.3:a:octobercms:october:1.0.129
-
cpe:2.3:a:octobercms:october:1.0.130
-
cpe:2.3:a:octobercms:october:1.0.131
-
cpe:2.3:a:octobercms:october:1.0.132
-
cpe:2.3:a:octobercms:october:1.0.133
-
cpe:2.3:a:octobercms:october:1.0.134
-
cpe:2.3:a:octobercms:october:1.0.135
-
cpe:2.3:a:octobercms:october:1.0.136
-
cpe:2.3:a:octobercms:october:1.0.137
-
cpe:2.3:a:octobercms:october:1.0.138
-
cpe:2.3:a:octobercms:october:1.0.139
-
cpe:2.3:a:octobercms:october:1.0.140
-
cpe:2.3:a:octobercms:october:1.0.141
-
cpe:2.3:a:octobercms:october:1.0.142
-
cpe:2.3:a:octobercms:october:1.0.143
-
cpe:2.3:a:octobercms:october:1.0.144
-
cpe:2.3:a:octobercms:october:1.0.145
-
cpe:2.3:a:octobercms:october:1.0.146
-
cpe:2.3:a:octobercms:october:1.0.147
-
cpe:2.3:a:octobercms:october:1.0.148
-
cpe:2.3:a:octobercms:october:1.0.149
-
cpe:2.3:a:octobercms:october:1.0.150
-
cpe:2.3:a:octobercms:october:1.0.151
-
cpe:2.3:a:octobercms:october:1.0.152
-
cpe:2.3:a:octobercms:october:1.0.153
-
cpe:2.3:a:octobercms:october:1.0.154
-
cpe:2.3:a:octobercms:october:1.0.155
-
cpe:2.3:a:octobercms:october:1.0.156
-
cpe:2.3:a:octobercms:october:1.0.157
-
cpe:2.3:a:octobercms:october:1.0.158
-
cpe:2.3:a:octobercms:october:1.0.159
-
cpe:2.3:a:octobercms:october:1.0.160
-
cpe:2.3:a:octobercms:october:1.0.161
-
cpe:2.3:a:octobercms:october:1.0.162
-
cpe:2.3:a:octobercms:october:1.0.163
-
cpe:2.3:a:octobercms:october:1.0.164
-
cpe:2.3:a:octobercms:october:1.0.165
-
cpe:2.3:a:octobercms:october:1.0.166
-
cpe:2.3:a:octobercms:october:1.0.167
-
cpe:2.3:a:octobercms:october:1.0.168
-
cpe:2.3:a:octobercms:october:1.0.169
-
cpe:2.3:a:octobercms:october:1.0.170
-
cpe:2.3:a:octobercms:october:1.0.171
-
cpe:2.3:a:octobercms:october:1.0.172
-
cpe:2.3:a:octobercms:october:1.0.173
-
cpe:2.3:a:octobercms:october:1.0.174
-
cpe:2.3:a:octobercms:october:1.0.175
-
cpe:2.3:a:octobercms:october:1.0.176
-
cpe:2.3:a:octobercms:october:1.0.178
-
cpe:2.3:a:octobercms:october:1.0.179
-
cpe:2.3:a:octobercms:october:1.0.180
-
cpe:2.3:a:octobercms:october:1.0.181
-
cpe:2.3:a:octobercms:october:1.0.182
-
cpe:2.3:a:octobercms:october:1.0.183
-
cpe:2.3:a:octobercms:october:1.0.184
-
cpe:2.3:a:octobercms:october:1.0.185
-
cpe:2.3:a:octobercms:october:1.0.186
-
cpe:2.3:a:octobercms:october:1.0.187
-
cpe:2.3:a:octobercms:october:1.0.191
-
cpe:2.3:a:octobercms:october:1.0.192
-
cpe:2.3:a:octobercms:october:1.0.199
-
cpe:2.3:a:octobercms:october:1.0.205
-
cpe:2.3:a:octobercms:october:1.0.206
-
cpe:2.3:a:octobercms:october:1.0.209
-
cpe:2.3:a:octobercms:october:1.0.210
-
cpe:2.3:a:octobercms:october:1.0.211
-
cpe:2.3:a:octobercms:october:1.0.214
-
cpe:2.3:a:octobercms:october:1.0.215
-
cpe:2.3:a:octobercms:october:1.0.216
-
cpe:2.3:a:octobercms:october:1.0.217
-
cpe:2.3:a:octobercms:october:1.0.218
-
cpe:2.3:a:octobercms:october:1.0.220
-
cpe:2.3:a:octobercms:october:1.0.221
-
cpe:2.3:a:octobercms:october:1.0.222
-
cpe:2.3:a:octobercms:october:1.0.224
-
cpe:2.3:a:octobercms:october:1.0.225
-
cpe:2.3:a:octobercms:october:1.0.226
-
cpe:2.3:a:octobercms:october:1.0.227
-
cpe:2.3:a:octobercms:october:1.0.228
-
cpe:2.3:a:octobercms:october:1.0.229
-
cpe:2.3:a:octobercms:october:1.0.236
-
cpe:2.3:a:octobercms:october:1.0.239
-
cpe:2.3:a:octobercms:october:1.0.245
-
cpe:2.3:a:octobercms:october:1.0.246
-
cpe:2.3:a:octobercms:october:1.0.247
-
cpe:2.3:a:octobercms:october:1.0.249
-
cpe:2.3:a:octobercms:october:1.0.250
-
cpe:2.3:a:octobercms:october:1.0.252
-
cpe:2.3:a:octobercms:october:1.0.258
-
cpe:2.3:a:octobercms:october:1.0.260
-
cpe:2.3:a:octobercms:october:1.0.266
-
cpe:2.3:a:octobercms:october:1.0.267
-
cpe:2.3:a:octobercms:october:1.0.268
-
cpe:2.3:a:octobercms:october:1.0.269
-
cpe:2.3:a:octobercms:october:1.0.270
-
cpe:2.3:a:octobercms:october:1.0.271
-
cpe:2.3:a:octobercms:october:1.0.272
-
cpe:2.3:a:octobercms:october:1.0.273
-
cpe:2.3:a:octobercms:october:1.0.274
-
cpe:2.3:a:octobercms:october:1.0.275
-
cpe:2.3:a:octobercms:october:1.0.276
-
cpe:2.3:a:octobercms:october:1.0.277
-
cpe:2.3:a:octobercms:october:1.0.278
-
cpe:2.3:a:octobercms:october:1.0.279
-
cpe:2.3:a:octobercms:october:1.0.280
-
cpe:2.3:a:octobercms:october:1.0.283
-
cpe:2.3:a:octobercms:october:1.0.284
-
cpe:2.3:a:octobercms:october:1.0.287
-
cpe:2.3:a:octobercms:october:1.0.289
-
cpe:2.3:a:octobercms:october:1.0.290
-
cpe:2.3:a:octobercms:october:1.0.291
-
cpe:2.3:a:octobercms:october:1.0.292
-
cpe:2.3:a:octobercms:october:1.0.293
-
cpe:2.3:a:octobercms:october:1.0.295
-
cpe:2.3:a:octobercms:october:1.0.296
-
cpe:2.3:a:octobercms:october:1.0.297
-
cpe:2.3:a:octobercms:october:1.0.298
-
cpe:2.3:a:octobercms:october:1.0.299
-
cpe:2.3:a:octobercms:october:1.0.300
-
cpe:2.3:a:octobercms:october:1.0.301
-
cpe:2.3:a:octobercms:october:1.0.304
-
cpe:2.3:a:octobercms:october:1.0.305
-
cpe:2.3:a:octobercms:october:1.0.309
-
cpe:2.3:a:octobercms:october:1.0.310
-
cpe:2.3:a:octobercms:october:1.0.313
-
cpe:2.3:a:octobercms:october:1.0.316
-
cpe:2.3:a:octobercms:october:1.0.317
-
cpe:2.3:a:octobercms:october:1.0.318
-
cpe:2.3:a:octobercms:october:1.0.319
-
cpe:2.3:a:octobercms:october:1.0.320
-
cpe:2.3:a:octobercms:october:1.0.321
-
cpe:2.3:a:octobercms:october:1.0.322
-
cpe:2.3:a:octobercms:october:1.0.323
-
cpe:2.3:a:octobercms:october:1.0.324
-
cpe:2.3:a:octobercms:october:1.0.325
-
cpe:2.3:a:octobercms:october:1.0.326
-
cpe:2.3:a:octobercms:october:1.0.327
-
cpe:2.3:a:octobercms:october:1.0.328
-
cpe:2.3:a:octobercms:october:1.0.329
-
cpe:2.3:a:octobercms:october:1.0.330
-
cpe:2.3:a:octobercms:october:1.0.331
-
cpe:2.3:a:octobercms:october:1.0.332
-
cpe:2.3:a:octobercms:october:1.0.333
-
cpe:2.3:a:octobercms:october:1.0.334
-
cpe:2.3:a:octobercms:october:1.0.335
-
cpe:2.3:a:octobercms:october:1.0.336
-
cpe:2.3:a:octobercms:october:1.0.337
-
cpe:2.3:a:octobercms:october:1.0.338
-
cpe:2.3:a:octobercms:october:1.0.339
-
cpe:2.3:a:octobercms:october:1.0.340
-
cpe:2.3:a:octobercms:october:1.0.341
-
cpe:2.3:a:octobercms:october:1.0.342
-
cpe:2.3:a:octobercms:october:1.0.343
-
cpe:2.3:a:octobercms:october:1.0.344
-
cpe:2.3:a:octobercms:october:1.0.345
-
cpe:2.3:a:octobercms:october:1.0.346
-
cpe:2.3:a:octobercms:october:1.0.347
-
cpe:2.3:a:octobercms:october:1.0.348
-
cpe:2.3:a:octobercms:october:1.0.349
-
cpe:2.3:a:octobercms:october:1.0.350
-
cpe:2.3:a:octobercms:october:1.0.351
-
cpe:2.3:a:octobercms:october:1.0.352
-
cpe:2.3:a:octobercms:october:1.0.353
-
cpe:2.3:a:octobercms:october:1.0.354
-
cpe:2.3:a:octobercms:october:1.0.355
-
cpe:2.3:a:octobercms:october:1.0.356
-
cpe:2.3:a:octobercms:october:1.0.357
-
cpe:2.3:a:octobercms:october:1.0.358
-
cpe:2.3:a:octobercms:october:1.0.359
-
cpe:2.3:a:octobercms:october:1.0.360
-
cpe:2.3:a:octobercms:october:1.0.361
-
cpe:2.3:a:octobercms:october:1.0.362
-
cpe:2.3:a:octobercms:october:1.0.363
-
cpe:2.3:a:octobercms:october:1.0.364
-
cpe:2.3:a:octobercms:october:1.0.365
-
cpe:2.3:a:octobercms:october:1.0.366
-
cpe:2.3:a:octobercms:october:1.0.367
-
cpe:2.3:a:octobercms:october:1.0.368
-
cpe:2.3:a:octobercms:october:1.0.369
-
cpe:2.3:a:octobercms:october:1.0.370
-
cpe:2.3:a:octobercms:october:1.0.371
-
cpe:2.3:a:octobercms:october:1.0.372
-
cpe:2.3:a:octobercms:october:1.0.373
-
cpe:2.3:a:octobercms:october:1.0.374
-
cpe:2.3:a:octobercms:october:1.0.375
-
cpe:2.3:a:octobercms:october:1.0.376
-
cpe:2.3:a:octobercms:october:1.0.377
-
cpe:2.3:a:octobercms:october:1.0.378
-
cpe:2.3:a:octobercms:october:1.0.379
-
cpe:2.3:a:octobercms:october:1.0.380
-
cpe:2.3:a:octobercms:october:1.0.381
-
cpe:2.3:a:octobercms:october:1.0.382
-
cpe:2.3:a:octobercms:october:1.0.383
-
cpe:2.3:a:octobercms:october:1.0.384
-
cpe:2.3:a:octobercms:october:1.0.385
-
cpe:2.3:a:octobercms:october:1.0.386
-
cpe:2.3:a:octobercms:october:1.0.387
-
cpe:2.3:a:octobercms:october:1.0.388
-
cpe:2.3:a:octobercms:october:1.0.389
-
cpe:2.3:a:octobercms:october:1.0.390
-
cpe:2.3:a:octobercms:october:1.0.391
-
cpe:2.3:a:octobercms:october:1.0.392
-
cpe:2.3:a:octobercms:october:1.0.393
-
cpe:2.3:a:octobercms:october:1.0.394
-
cpe:2.3:a:octobercms:october:1.0.395
-
cpe:2.3:a:octobercms:october:1.0.396
-
cpe:2.3:a:octobercms:october:1.0.397
-
cpe:2.3:a:octobercms:october:1.0.398
-
cpe:2.3:a:octobercms:october:1.0.399
-
cpe:2.3:a:octobercms:october:1.0.400
-
cpe:2.3:a:octobercms:october:1.0.401
-
cpe:2.3:a:octobercms:october:1.0.402
-
cpe:2.3:a:octobercms:october:1.0.403
-
cpe:2.3:a:octobercms:october:1.0.404
-
cpe:2.3:a:octobercms:october:1.0.405
-
cpe:2.3:a:octobercms:october:1.0.406
-
cpe:2.3:a:octobercms:october:1.0.407
-
cpe:2.3:a:octobercms:october:1.0.408
-
cpe:2.3:a:octobercms:october:1.0.409
-
cpe:2.3:a:octobercms:october:1.0.410
-
cpe:2.3:a:octobercms:october:1.0.411
-
cpe:2.3:a:octobercms:october:1.0.412
-
cpe:2.3:a:octobercms:october:1.0.413
-
cpe:2.3:a:octobercms:october:1.0.414
-
cpe:2.3:a:octobercms:october:1.0.415
-
cpe:2.3:a:octobercms:october:1.0.416
-
cpe:2.3:a:octobercms:october:1.0.417
-
cpe:2.3:a:octobercms:october:1.0.418
-
cpe:2.3:a:octobercms:october:1.0.419
-
cpe:2.3:a:octobercms:october:1.0.420
-
cpe:2.3:a:octobercms:october:1.0.421
-
cpe:2.3:a:octobercms:october:1.0.422
-
cpe:2.3:a:octobercms:october:1.0.423
-
cpe:2.3:a:octobercms:october:1.0.424
-
cpe:2.3:a:octobercms:october:1.0.425
-
cpe:2.3:a:octobercms:october:1.0.426
-
cpe:2.3:a:octobercms:october:1.0.427
-
cpe:2.3:a:octobercms:october:1.0.428
-
cpe:2.3:a:octobercms:october:1.0.429
-
cpe:2.3:a:octobercms:october:1.0.430
-
cpe:2.3:a:octobercms:october:1.0.431
-
cpe:2.3:a:octobercms:october:1.0.432
-
cpe:2.3:a:octobercms:october:1.0.433
-
cpe:2.3:a:octobercms:october:1.0.434
-
cpe:2.3:a:octobercms:october:1.0.435
-
cpe:2.3:a:octobercms:october:1.0.436
-
cpe:2.3:a:octobercms:october:1.0.437
-
cpe:2.3:a:octobercms:october:1.0.438
-
cpe:2.3:a:octobercms:october:1.0.439
-
cpe:2.3:a:octobercms:october:1.0.440
-
cpe:2.3:a:octobercms:october:1.0.441
-
cpe:2.3:a:octobercms:october:1.0.442
-
cpe:2.3:a:octobercms:october:1.0.443
-
cpe:2.3:a:octobercms:october:1.0.444
-
cpe:2.3:a:octobercms:october:1.0.445
-
cpe:2.3:a:octobercms:october:1.0.446
-
cpe:2.3:a:octobercms:october:1.0.447
-
cpe:2.3:a:octobercms:october:1.0.448
-
cpe:2.3:a:octobercms:october:1.0.449
-
cpe:2.3:a:octobercms:october:1.0.45
-
cpe:2.3:a:octobercms:october:1.0.450
-
cpe:2.3:a:octobercms:october:1.0.451
-
cpe:2.3:a:octobercms:october:1.0.452
-
cpe:2.3:a:octobercms:october:1.0.453
-
cpe:2.3:a:octobercms:october:1.0.454
-
cpe:2.3:a:octobercms:october:1.0.455
-
cpe:2.3:a:octobercms:october:1.0.456
-
cpe:2.3:a:octobercms:october:1.0.457
-
cpe:2.3:a:octobercms:october:1.0.458
-
cpe:2.3:a:octobercms:october:1.0.459
-
cpe:2.3:a:octobercms:october:1.0.46
-
cpe:2.3:a:octobercms:october:1.0.460
-
cpe:2.3:a:octobercms:october:1.0.461
-
cpe:2.3:a:octobercms:october:1.0.462
-
cpe:2.3:a:octobercms:october:1.0.463
-
cpe:2.3:a:octobercms:october:1.0.464
-
cpe:2.3:a:octobercms:october:1.0.465
-
cpe:2.3:a:octobercms:october:1.0.466
-
cpe:2.3:a:octobercms:october:1.0.467
-
cpe:2.3:a:octobercms:october:1.0.47
-
cpe:2.3:a:octobercms:october:1.0.48
-
cpe:2.3:a:octobercms:october:1.0.49
-
cpe:2.3:a:octobercms:october:1.0.50
-
cpe:2.3:a:octobercms:october:1.0.51
-
cpe:2.3:a:octobercms:october:1.0.52
-
cpe:2.3:a:octobercms:october:1.0.53
-
cpe:2.3:a:octobercms:october:1.0.54
-
cpe:2.3:a:octobercms:october:1.0.55
-
cpe:2.3:a:octobercms:october:1.0.56
-
cpe:2.3:a:octobercms:october:1.0.57
-
cpe:2.3:a:octobercms:october:1.0.58
-
cpe:2.3:a:octobercms:october:1.0.59
-
cpe:2.3:a:octobercms:october:1.0.60
-
cpe:2.3:a:octobercms:october:1.0.61
-
cpe:2.3:a:octobercms:october:1.0.62
-
cpe:2.3:a:octobercms:october:1.0.63
-
cpe:2.3:a:octobercms:october:1.0.64
-
cpe:2.3:a:octobercms:october:1.0.65
-
cpe:2.3:a:octobercms:october:1.0.66
-
cpe:2.3:a:octobercms:october:1.0.67
-
cpe:2.3:a:octobercms:october:1.0.68
-
cpe:2.3:a:octobercms:october:1.0.69
-
cpe:2.3:a:octobercms:october:1.0.70
-
cpe:2.3:a:octobercms:october:1.0.71
-
cpe:2.3:a:octobercms:october:1.0.72
-
cpe:2.3:a:octobercms:october:1.0.73
-
cpe:2.3:a:octobercms:october:1.0.74
-
cpe:2.3:a:octobercms:october:1.0.75
-
cpe:2.3:a:octobercms:october:1.0.76
-
cpe:2.3:a:octobercms:october:1.0.77
-
cpe:2.3:a:octobercms:october:1.0.78
-
cpe:2.3:a:octobercms:october:1.0.79
-
cpe:2.3:a:octobercms:october:1.0.80
-
cpe:2.3:a:octobercms:october:1.0.81
-
cpe:2.3:a:octobercms:october:1.0.82
-
cpe:2.3:a:octobercms:october:1.0.83
-
cpe:2.3:a:octobercms:october:1.0.84
-
cpe:2.3:a:octobercms:october:1.0.85
-
cpe:2.3:a:octobercms:october:1.0.86
-
cpe:2.3:a:octobercms:october:1.0.87
-
cpe:2.3:a:octobercms:october:1.0.88
-
cpe:2.3:a:octobercms:october:1.0.89
-
cpe:2.3:a:octobercms:october:1.0.90
-
cpe:2.3:a:octobercms:october:1.0.91
-
cpe:2.3:a:octobercms:october:1.0.92
-
cpe:2.3:a:octobercms:october:1.0.93
-
cpe:2.3:a:octobercms:october:1.0.94
-
cpe:2.3:a:octobercms:october:1.0.95
-
cpe:2.3:a:octobercms:october:1.0.96
-
cpe:2.3:a:octobercms:october:1.0.97
-
cpe:2.3:a:octobercms:october:1.0.98
-
cpe:2.3:a:octobercms:october:1.0.99