Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/october/cms@1.0.319

Type composer

Namespace october

Name cms

Version 1.0.319

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.0.470

Latest_non_vulnerable_version 1.1.2

Affected_by_vulnerabilities

url VCID-2y9g-3yme-gubv

vulnerability_id VCID-2y9g-3yme-gubv

summary

External Control of File Name or Path
In OctoberCMS, an attacker can delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission.

references

reference_url

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-5296

reference_id

reference_type

scores

value	0.00618
scoring_system	epss
scoring_elements	0.70351
published_at	2026-06-04T12:55:00Z

value	0.00618
scoring_system	epss
scoring_elements	0.70383
published_at	2026-06-07T12:55:00Z

value	0.00618
scoring_system	epss
scoring_elements	0.70401
published_at	2026-06-06T12:55:00Z

value	0.00618
scoring_system	epss
scoring_elements	0.70392
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-5296

reference_url

http://seclists.org/fulldisclosure/2020/Aug/2

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2020/Aug/2

reference_url

https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc

reference_id

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-5296

reference_id

CVE-2020-5296

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-5296

reference_url

https://github.com/advisories/GHSA-jv6v-fvvx-4932

reference_id

GHSA-jv6v-fvvx-4932

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jv6v-fvvx-4932

reference_url

https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932

reference_id

GHSA-jv6v-fvvx-4932

reference_type

scores

value	6.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932

fixed_packages

url pkg:composer/october/cms@1.0.466

purl pkg:composer/october/cms@1.0.466

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kf11-quf4-ryg1

vulnerability	VCID-myh3-5454-ffgb

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/cms@1.0.466

aliases CVE-2020-5296, GHSA-jv6v-fvvx-4932

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2y9g-3yme-gubv

url VCID-jv9v-yxk9-hqer

vulnerability_id VCID-jv9v-yxk9-hqer

summary

Unrestricted Upload of File with Dangerous Type
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.

references

reference_url

http://octobercms.com/support/article/rn-8

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://octobercms.com/support/article/rn-8

reference_url

http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2017-1000119

reference_id

reference_type

scores

value	0.76231
scoring_system	epss
scoring_elements	0.98949
published_at	2026-06-06T12:55:00Z

value	0.76231
scoring_system	epss
scoring_elements	0.98946
published_at	2026-06-04T12:55:00Z

value	0.76231
scoring_system	epss
scoring_elements	0.98948
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2017-1000119

reference_url

https://github.com/octobercms/october

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/47376.rb
reference_id	CVE-2017-1000119
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/remote/47376.rb

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2017-1000119

reference_id

CVE-2017-1000119

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2017-1000119

reference_url	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/october_upload_bypass_exec.rb
reference_id	CVE-2017-1000119
reference_type	exploit
scores
url	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/october_upload_bypass_exec.rb

reference_url

https://github.com/advisories/GHSA-q263-j3q9-g964

reference_id

GHSA-q263-j3q9-g964

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-q263-j3q9-g964

fixed_packages

url pkg:composer/october/cms@1.0.413

purl pkg:composer/october/cms@1.0.413

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2y9g-3yme-gubv

vulnerability	VCID-myh3-5454-ffgb

vulnerability	VCID-nj68-b1vy-5khg

vulnerability	VCID-xba2-4g53-cugg

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/cms@1.0.413

aliases CVE-2017-1000119, GHSA-q263-j3q9-g964

risk_score 10.0

exploitability 2.0

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jv9v-yxk9-hqer

url VCID-myh3-5454-ffgb

vulnerability_id VCID-myh3-5454-ffgb

summary

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-15247

reference_id

reference_type

scores

value	0.00146
scoring_system	epss
scoring_elements	0.34664
published_at	2026-06-04T12:55:00Z

value	0.00146
scoring_system	epss
scoring_elements	0.34741
published_at	2026-06-07T12:55:00Z

value	0.00146
scoring_system	epss
scoring_elements	0.34778
published_at	2026-06-06T12:55:00Z

value	0.00146
scoring_system	epss
scoring_elements	0.34761
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-15247

reference_url

https://github.com/octobercms/october

reference_id

reference_type

scores

value	5.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october

reference_url

https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982

reference_id

reference_type

scores

value	5.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-15247

reference_id

CVE-2020-15247

reference_type

scores

value	5.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-15247

reference_url

https://github.com/advisories/GHSA-94vp-rmqv-5875

reference_id

GHSA-94vp-rmqv-5875

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-94vp-rmqv-5875

reference_url

https://github.com/octobercms/october/security/advisories/GHSA-94vp-rmqv-5875

reference_id

GHSA-94vp-rmqv-5875

reference_type

scores

value	5.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/security/advisories/GHSA-94vp-rmqv-5875

fixed_packages

url pkg:composer/october/cms@1.0.469

purl pkg:composer/october/cms@1.0.469

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-xft1-5xxz-jfbp

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/cms@1.0.469

aliases CVE-2020-15247, GHSA-94vp-rmqv-5875

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-myh3-5454-ffgb

url VCID-nj68-b1vy-5khg

vulnerability_id VCID-nj68-b1vy-5khg

summary

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).

references

reference_url

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-5295

reference_id

reference_type

scores

value	0.0968
scoring_system	epss
scoring_elements	0.9306
published_at	2026-06-04T12:55:00Z

value	0.0968
scoring_system	epss
scoring_elements	0.93065
published_at	2026-06-07T12:55:00Z

value	0.0968
scoring_system	epss
scoring_elements	0.93069
published_at	2026-06-06T12:55:00Z

value	0.0968
scoring_system	epss
scoring_elements	0.93071
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-5295

reference_url

http://seclists.org/fulldisclosure/2020/Aug/2

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2020/Aug/2

reference_url

https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49045.sh
reference_id	CVE-2020-5295
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49045.sh

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-5295

reference_id

CVE-2020-5295

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-5295

reference_url

https://github.com/advisories/GHSA-r23f-c2j5-rx2f

reference_id

GHSA-r23f-c2j5-rx2f

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r23f-c2j5-rx2f

reference_url

https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f

reference_id

GHSA-r23f-c2j5-rx2f

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f

fixed_packages

url pkg:composer/october/cms@1.0.466

purl pkg:composer/october/cms@1.0.466

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kf11-quf4-ryg1

vulnerability	VCID-myh3-5454-ffgb

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/cms@1.0.466

aliases CVE-2020-5295, GHSA-r23f-c2j5-rx2f

risk_score 10.0

exploitability 2.0

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nj68-b1vy-5khg

url VCID-xba2-4g53-cugg

vulnerability_id VCID-xba2-4g53-cugg

summary

External Control of File Name or Path
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission. Issue has been patched in Build 466 (v1.0.466).

references

reference_url

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

reference_id

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-5297

reference_id

reference_type

scores

value	0.01759
scoring_system	epss
scoring_elements	0.82969
published_at	2026-06-07T12:55:00Z

value	0.01759
scoring_system	epss
scoring_elements	0.82946
published_at	2026-06-04T12:55:00Z

value	0.01759
scoring_system	epss
scoring_elements	0.82973
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-5297

reference_url

http://seclists.org/fulldisclosure/2020/Aug/2

reference_id

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

http://seclists.org/fulldisclosure/2020/Aug/2

reference_url

https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8

reference_id

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-5297

reference_id

CVE-2020-5297

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-5297

reference_url

https://github.com/advisories/GHSA-9722-rr68-rfpg

reference_id

GHSA-9722-rr68-rfpg

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9722-rr68-rfpg

reference_url

https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg

reference_id

GHSA-9722-rr68-rfpg

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg

fixed_packages

url pkg:composer/october/cms@1.0.466

purl pkg:composer/october/cms@1.0.466

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kf11-quf4-ryg1

vulnerability	VCID-myh3-5454-ffgb

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/cms@1.0.466

aliases CVE-2020-5297, GHSA-9722-rr68-rfpg

risk_score 1.6

exploitability 0.5

weighted_severity 3.1

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xba2-4g53-cugg

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/october/cms@1.0.319

Package Instance