Vulnerability Details CVE-2020-15248
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 15.0%
CVSS Severity
CVSS v3 Score 4.0
CVSS v2 Score 4.6
References
- https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829
- https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw
- https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829
- https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw
Products affected by CVE-2020-15248
-
cpe:2.3:a:octobercms:october:1.0.319
-
cpe:2.3:a:octobercms:october:1.0.320
-
cpe:2.3:a:octobercms:october:1.0.321
-
cpe:2.3:a:octobercms:october:1.0.322
-
cpe:2.3:a:octobercms:october:1.0.323
-
cpe:2.3:a:octobercms:october:1.0.324
-
cpe:2.3:a:octobercms:october:1.0.325
-
cpe:2.3:a:octobercms:october:1.0.326
-
cpe:2.3:a:octobercms:october:1.0.327
-
cpe:2.3:a:octobercms:october:1.0.328
-
cpe:2.3:a:octobercms:october:1.0.329
-
cpe:2.3:a:octobercms:october:1.0.330
-
cpe:2.3:a:octobercms:october:1.0.331
-
cpe:2.3:a:octobercms:october:1.0.332
-
cpe:2.3:a:octobercms:october:1.0.333
-
cpe:2.3:a:octobercms:october:1.0.334
-
cpe:2.3:a:octobercms:october:1.0.335
-
cpe:2.3:a:octobercms:october:1.0.336
-
cpe:2.3:a:octobercms:october:1.0.337
-
cpe:2.3:a:octobercms:october:1.0.338
-
cpe:2.3:a:octobercms:october:1.0.339
-
cpe:2.3:a:octobercms:october:1.0.340
-
cpe:2.3:a:octobercms:october:1.0.341
-
cpe:2.3:a:octobercms:october:1.0.342
-
cpe:2.3:a:octobercms:october:1.0.343
-
cpe:2.3:a:octobercms:october:1.0.344
-
cpe:2.3:a:octobercms:october:1.0.345
-
cpe:2.3:a:octobercms:october:1.0.346
-
cpe:2.3:a:octobercms:october:1.0.347
-
cpe:2.3:a:octobercms:october:1.0.348
-
cpe:2.3:a:octobercms:october:1.0.349
-
cpe:2.3:a:octobercms:october:1.0.350
-
cpe:2.3:a:octobercms:october:1.0.351
-
cpe:2.3:a:octobercms:october:1.0.352
-
cpe:2.3:a:octobercms:october:1.0.353
-
cpe:2.3:a:octobercms:october:1.0.354
-
cpe:2.3:a:octobercms:october:1.0.355
-
cpe:2.3:a:octobercms:october:1.0.356
-
cpe:2.3:a:octobercms:october:1.0.357
-
cpe:2.3:a:octobercms:october:1.0.358
-
cpe:2.3:a:octobercms:october:1.0.359
-
cpe:2.3:a:octobercms:october:1.0.360
-
cpe:2.3:a:octobercms:october:1.0.361
-
cpe:2.3:a:octobercms:october:1.0.362
-
cpe:2.3:a:octobercms:october:1.0.363
-
cpe:2.3:a:octobercms:october:1.0.364
-
cpe:2.3:a:octobercms:october:1.0.365
-
cpe:2.3:a:octobercms:october:1.0.366
-
cpe:2.3:a:octobercms:october:1.0.367
-
cpe:2.3:a:octobercms:october:1.0.368
-
cpe:2.3:a:octobercms:october:1.0.369
-
cpe:2.3:a:octobercms:october:1.0.370
-
cpe:2.3:a:octobercms:october:1.0.371
-
cpe:2.3:a:octobercms:october:1.0.372
-
cpe:2.3:a:octobercms:october:1.0.373
-
cpe:2.3:a:octobercms:october:1.0.374
-
cpe:2.3:a:octobercms:october:1.0.375
-
cpe:2.3:a:octobercms:october:1.0.376
-
cpe:2.3:a:octobercms:october:1.0.377
-
cpe:2.3:a:octobercms:october:1.0.378
-
cpe:2.3:a:octobercms:october:1.0.379
-
cpe:2.3:a:octobercms:october:1.0.380
-
cpe:2.3:a:octobercms:october:1.0.381
-
cpe:2.3:a:octobercms:october:1.0.382
-
cpe:2.3:a:octobercms:october:1.0.383
-
cpe:2.3:a:octobercms:october:1.0.384
-
cpe:2.3:a:octobercms:october:1.0.385
-
cpe:2.3:a:octobercms:october:1.0.386
-
cpe:2.3:a:octobercms:october:1.0.387
-
cpe:2.3:a:octobercms:october:1.0.388
-
cpe:2.3:a:octobercms:october:1.0.389
-
cpe:2.3:a:octobercms:october:1.0.390
-
cpe:2.3:a:octobercms:october:1.0.391
-
cpe:2.3:a:octobercms:october:1.0.392
-
cpe:2.3:a:octobercms:october:1.0.393
-
cpe:2.3:a:octobercms:october:1.0.394
-
cpe:2.3:a:octobercms:october:1.0.395
-
cpe:2.3:a:octobercms:october:1.0.396
-
cpe:2.3:a:octobercms:october:1.0.397
-
cpe:2.3:a:octobercms:october:1.0.398
-
cpe:2.3:a:octobercms:october:1.0.399
-
cpe:2.3:a:octobercms:october:1.0.400
-
cpe:2.3:a:octobercms:october:1.0.401
-
cpe:2.3:a:octobercms:october:1.0.402
-
cpe:2.3:a:octobercms:october:1.0.403
-
cpe:2.3:a:octobercms:october:1.0.404
-
cpe:2.3:a:octobercms:october:1.0.405
-
cpe:2.3:a:octobercms:october:1.0.406
-
cpe:2.3:a:octobercms:october:1.0.407
-
cpe:2.3:a:octobercms:october:1.0.408
-
cpe:2.3:a:octobercms:october:1.0.409
-
cpe:2.3:a:octobercms:october:1.0.410
-
cpe:2.3:a:octobercms:october:1.0.411
-
cpe:2.3:a:octobercms:october:1.0.412
-
cpe:2.3:a:octobercms:october:1.0.413
-
cpe:2.3:a:octobercms:october:1.0.414
-
cpe:2.3:a:octobercms:october:1.0.415
-
cpe:2.3:a:octobercms:october:1.0.416
-
cpe:2.3:a:octobercms:october:1.0.417
-
cpe:2.3:a:octobercms:october:1.0.418
-
cpe:2.3:a:octobercms:october:1.0.419
-
cpe:2.3:a:octobercms:october:1.0.420
-
cpe:2.3:a:octobercms:october:1.0.421
-
cpe:2.3:a:octobercms:october:1.0.422
-
cpe:2.3:a:octobercms:october:1.0.423
-
cpe:2.3:a:octobercms:october:1.0.424
-
cpe:2.3:a:octobercms:october:1.0.425
-
cpe:2.3:a:octobercms:october:1.0.426
-
cpe:2.3:a:octobercms:october:1.0.427
-
cpe:2.3:a:octobercms:october:1.0.428
-
cpe:2.3:a:octobercms:october:1.0.429
-
cpe:2.3:a:octobercms:october:1.0.430
-
cpe:2.3:a:octobercms:october:1.0.431
-
cpe:2.3:a:octobercms:october:1.0.432
-
cpe:2.3:a:octobercms:october:1.0.433
-
cpe:2.3:a:octobercms:october:1.0.434
-
cpe:2.3:a:octobercms:october:1.0.435
-
cpe:2.3:a:octobercms:october:1.0.436
-
cpe:2.3:a:octobercms:october:1.0.437
-
cpe:2.3:a:octobercms:october:1.0.438
-
cpe:2.3:a:octobercms:october:1.0.439
-
cpe:2.3:a:octobercms:october:1.0.440
-
cpe:2.3:a:octobercms:october:1.0.441
-
cpe:2.3:a:octobercms:october:1.0.442
-
cpe:2.3:a:octobercms:october:1.0.443
-
cpe:2.3:a:octobercms:october:1.0.444
-
cpe:2.3:a:octobercms:october:1.0.445
-
cpe:2.3:a:octobercms:october:1.0.446
-
cpe:2.3:a:octobercms:october:1.0.447
-
cpe:2.3:a:octobercms:october:1.0.448
-
cpe:2.3:a:octobercms:october:1.0.449
-
cpe:2.3:a:octobercms:october:1.0.450
-
cpe:2.3:a:octobercms:october:1.0.451
-
cpe:2.3:a:octobercms:october:1.0.452
-
cpe:2.3:a:octobercms:october:1.0.453
-
cpe:2.3:a:octobercms:october:1.0.454
-
cpe:2.3:a:octobercms:october:1.0.455
-
cpe:2.3:a:octobercms:october:1.0.456
-
cpe:2.3:a:octobercms:october:1.0.457
-
cpe:2.3:a:octobercms:october:1.0.458
-
cpe:2.3:a:octobercms:october:1.0.459
-
cpe:2.3:a:octobercms:october:1.0.460
-
cpe:2.3:a:octobercms:october:1.0.461
-
cpe:2.3:a:octobercms:october:1.0.462
-
cpe:2.3:a:octobercms:october:1.0.463
-
cpe:2.3:a:octobercms:october:1.0.464
-
cpe:2.3:a:octobercms:october:1.0.465
-
cpe:2.3:a:octobercms:october:1.0.466
-
cpe:2.3:a:octobercms:october:1.0.467
-
cpe:2.3:a:octobercms:october:1.0.468