CVE-2020-15249

{"id": "CVE-2020-15249", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2020-11-23T20:15:12.557", "references": [{"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0."}, {"lang": "es", "value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autohosteada basada en Laravel PHP Framework. En October CMS desde la versi\u00f3n 1.0.319 y anterior a versi\u00f3n 1.0.469, a los usuarios de backend con acceso para cargar archivos se les permiti\u00f3 cargar archivos SVG sin ning\u00fan saneamiento aplicado a los archivos cargados. Dado que los archivos SVG admiten ser analizados como HTML por los navegadores, esto significa que te\u00f3ricamente podr\u00edan cargar Javascript que se ejecutar\u00eda en una ruta bajo el dominio del sitio web (es decir, /storage/app/media/evil.svg), pero tendr\u00edan que convencer su objetivo para que visite esa ubicaci\u00f3n directamente en el navegador del objetivo, ya que el backend no muestra SVG en l\u00ednea en ning\u00fan lugar, los SVG solo se muestran como recursos de imagen en el backend y, por lo tanto, no se pueden ejecutar. El problema se ha corregido en Build 469 (versi\u00f3n v1.0.469) y versi\u00f3n v1.1.0"}], "lastModified": "2024-11-21T05:05:11.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ABEFA590-9054-45DD-A177-D5EBEA49C5B7", "versionEndExcluding": "1.0.469", "versionStartIncluding": "1.0.319"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}