Vulnerability Details CVE-2020-5298
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.4%
CVSS Severity
CVSS v3 Score 4.0
CVSS v2 Score 3.5
References
- http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
- http://seclists.org/fulldisclosure/2020/Aug/2
- https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
- https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c
- http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
- http://seclists.org/fulldisclosure/2020/Aug/2
- https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
- https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c
Products affected by CVE-2020-5298
-
cpe:2.3:a:octobercms:october:1.0.319
-
cpe:2.3:a:octobercms:october:1.0.320
-
cpe:2.3:a:octobercms:october:1.0.321
-
cpe:2.3:a:octobercms:october:1.0.322
-
cpe:2.3:a:octobercms:october:1.0.323
-
cpe:2.3:a:octobercms:october:1.0.324
-
cpe:2.3:a:octobercms:october:1.0.325
-
cpe:2.3:a:octobercms:october:1.0.326
-
cpe:2.3:a:octobercms:october:1.0.327
-
cpe:2.3:a:octobercms:october:1.0.328
-
cpe:2.3:a:octobercms:october:1.0.329
-
cpe:2.3:a:octobercms:october:1.0.330
-
cpe:2.3:a:octobercms:october:1.0.331
-
cpe:2.3:a:octobercms:october:1.0.332
-
cpe:2.3:a:octobercms:october:1.0.333
-
cpe:2.3:a:octobercms:october:1.0.334
-
cpe:2.3:a:octobercms:october:1.0.335
-
cpe:2.3:a:octobercms:october:1.0.336
-
cpe:2.3:a:octobercms:october:1.0.337
-
cpe:2.3:a:octobercms:october:1.0.338
-
cpe:2.3:a:octobercms:october:1.0.339
-
cpe:2.3:a:octobercms:october:1.0.340
-
cpe:2.3:a:octobercms:october:1.0.341
-
cpe:2.3:a:octobercms:october:1.0.342
-
cpe:2.3:a:octobercms:october:1.0.343
-
cpe:2.3:a:octobercms:october:1.0.344
-
cpe:2.3:a:octobercms:october:1.0.345
-
cpe:2.3:a:octobercms:october:1.0.346
-
cpe:2.3:a:octobercms:october:1.0.347
-
cpe:2.3:a:octobercms:october:1.0.348
-
cpe:2.3:a:octobercms:october:1.0.349
-
cpe:2.3:a:octobercms:october:1.0.350
-
cpe:2.3:a:octobercms:october:1.0.351
-
cpe:2.3:a:octobercms:october:1.0.352
-
cpe:2.3:a:octobercms:october:1.0.353
-
cpe:2.3:a:octobercms:october:1.0.354
-
cpe:2.3:a:octobercms:october:1.0.355
-
cpe:2.3:a:octobercms:october:1.0.356
-
cpe:2.3:a:octobercms:october:1.0.357
-
cpe:2.3:a:octobercms:october:1.0.358
-
cpe:2.3:a:octobercms:october:1.0.359
-
cpe:2.3:a:octobercms:october:1.0.360
-
cpe:2.3:a:octobercms:october:1.0.361
-
cpe:2.3:a:octobercms:october:1.0.362
-
cpe:2.3:a:octobercms:october:1.0.363
-
cpe:2.3:a:octobercms:october:1.0.364
-
cpe:2.3:a:octobercms:october:1.0.365
-
cpe:2.3:a:octobercms:october:1.0.366
-
cpe:2.3:a:octobercms:october:1.0.367
-
cpe:2.3:a:octobercms:october:1.0.368
-
cpe:2.3:a:octobercms:october:1.0.369
-
cpe:2.3:a:octobercms:october:1.0.370
-
cpe:2.3:a:octobercms:october:1.0.371
-
cpe:2.3:a:octobercms:october:1.0.372
-
cpe:2.3:a:octobercms:october:1.0.373
-
cpe:2.3:a:octobercms:october:1.0.374
-
cpe:2.3:a:octobercms:october:1.0.375
-
cpe:2.3:a:octobercms:october:1.0.376
-
cpe:2.3:a:octobercms:october:1.0.377
-
cpe:2.3:a:octobercms:october:1.0.378
-
cpe:2.3:a:octobercms:october:1.0.379
-
cpe:2.3:a:octobercms:october:1.0.380
-
cpe:2.3:a:octobercms:october:1.0.381
-
cpe:2.3:a:octobercms:october:1.0.382
-
cpe:2.3:a:octobercms:october:1.0.383
-
cpe:2.3:a:octobercms:october:1.0.384
-
cpe:2.3:a:octobercms:october:1.0.385
-
cpe:2.3:a:octobercms:october:1.0.386
-
cpe:2.3:a:octobercms:october:1.0.387
-
cpe:2.3:a:octobercms:october:1.0.388
-
cpe:2.3:a:octobercms:october:1.0.389
-
cpe:2.3:a:octobercms:october:1.0.390
-
cpe:2.3:a:octobercms:october:1.0.391
-
cpe:2.3:a:octobercms:october:1.0.392
-
cpe:2.3:a:octobercms:october:1.0.393
-
cpe:2.3:a:octobercms:october:1.0.394
-
cpe:2.3:a:octobercms:october:1.0.395
-
cpe:2.3:a:octobercms:october:1.0.396
-
cpe:2.3:a:octobercms:october:1.0.397
-
cpe:2.3:a:octobercms:october:1.0.398
-
cpe:2.3:a:octobercms:october:1.0.399
-
cpe:2.3:a:octobercms:october:1.0.400
-
cpe:2.3:a:octobercms:october:1.0.401
-
cpe:2.3:a:octobercms:october:1.0.402
-
cpe:2.3:a:octobercms:october:1.0.403
-
cpe:2.3:a:octobercms:october:1.0.404
-
cpe:2.3:a:octobercms:october:1.0.405
-
cpe:2.3:a:octobercms:october:1.0.406
-
cpe:2.3:a:octobercms:october:1.0.407
-
cpe:2.3:a:octobercms:october:1.0.408
-
cpe:2.3:a:octobercms:october:1.0.409
-
cpe:2.3:a:octobercms:october:1.0.410
-
cpe:2.3:a:octobercms:october:1.0.411
-
cpe:2.3:a:octobercms:october:1.0.412
-
cpe:2.3:a:octobercms:october:1.0.413
-
cpe:2.3:a:octobercms:october:1.0.414
-
cpe:2.3:a:octobercms:october:1.0.415
-
cpe:2.3:a:octobercms:october:1.0.416
-
cpe:2.3:a:octobercms:october:1.0.417
-
cpe:2.3:a:octobercms:october:1.0.418
-
cpe:2.3:a:octobercms:october:1.0.419
-
cpe:2.3:a:octobercms:october:1.0.420
-
cpe:2.3:a:octobercms:october:1.0.421
-
cpe:2.3:a:octobercms:october:1.0.422
-
cpe:2.3:a:octobercms:october:1.0.423
-
cpe:2.3:a:octobercms:october:1.0.424
-
cpe:2.3:a:octobercms:october:1.0.425
-
cpe:2.3:a:octobercms:october:1.0.426
-
cpe:2.3:a:octobercms:october:1.0.427
-
cpe:2.3:a:octobercms:october:1.0.428
-
cpe:2.3:a:octobercms:october:1.0.429
-
cpe:2.3:a:octobercms:october:1.0.430
-
cpe:2.3:a:octobercms:october:1.0.431
-
cpe:2.3:a:octobercms:october:1.0.432
-
cpe:2.3:a:octobercms:october:1.0.433
-
cpe:2.3:a:octobercms:october:1.0.434
-
cpe:2.3:a:octobercms:october:1.0.435
-
cpe:2.3:a:octobercms:october:1.0.436
-
cpe:2.3:a:octobercms:october:1.0.437
-
cpe:2.3:a:octobercms:october:1.0.438
-
cpe:2.3:a:octobercms:october:1.0.439
-
cpe:2.3:a:octobercms:october:1.0.440
-
cpe:2.3:a:octobercms:october:1.0.441
-
cpe:2.3:a:octobercms:october:1.0.442
-
cpe:2.3:a:octobercms:october:1.0.443
-
cpe:2.3:a:octobercms:october:1.0.444
-
cpe:2.3:a:octobercms:october:1.0.445
-
cpe:2.3:a:octobercms:october:1.0.446
-
cpe:2.3:a:octobercms:october:1.0.447
-
cpe:2.3:a:octobercms:october:1.0.448
-
cpe:2.3:a:octobercms:october:1.0.449
-
cpe:2.3:a:octobercms:october:1.0.450
-
cpe:2.3:a:octobercms:october:1.0.451
-
cpe:2.3:a:octobercms:october:1.0.452
-
cpe:2.3:a:octobercms:october:1.0.453
-
cpe:2.3:a:octobercms:october:1.0.454
-
cpe:2.3:a:octobercms:october:1.0.455
-
cpe:2.3:a:octobercms:october:1.0.456
-
cpe:2.3:a:octobercms:october:1.0.457
-
cpe:2.3:a:octobercms:october:1.0.458
-
cpe:2.3:a:octobercms:october:1.0.459
-
cpe:2.3:a:octobercms:october:1.0.460
-
cpe:2.3:a:octobercms:october:1.0.461
-
cpe:2.3:a:octobercms:october:1.0.462
-
cpe:2.3:a:octobercms:october:1.0.463
-
cpe:2.3:a:octobercms:october:1.0.464
-
cpe:2.3:a:octobercms:october:1.0.465