{"url":"http://public2.vulnerablecode.io/api/packages/448681?format=json","purl":"pkg:composer/october/october@1.0.410","type":"composer","namespace":"october","name":"october","version":"1.0.410","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41363?format=json","vulnerability_id":"VCID-4dcg-6pa4-sfez","summary":"Upload whitelisted files to any directory in OctoberCMS\n### Impact\nAn attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission.\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8 to your installation manually if unable to upgrade to Build 466.\n\n### References\nReported by [Sivanesh Ashok](https://stazot.com/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1241\" alt=\"Screen Shot 2020-03-31 at 12 21 10 PM\" src=\"https://user-images.githubusercontent.com/7253840/78061230-255f5400-734a-11ea-92b4-1120f6960505.png\">","references":[{"reference_url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5297","reference_id":"","reference_type":"","scores":[{"value":"0.01759","scoring_system":"epss","scoring_elements":"0.82915","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5297"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Aug/2","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Aug/2"},{"reference_url":"https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-9722-rr68-rfpg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5297","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5297"},{"reference_url":"https://github.com/advisories/GHSA-9722-rr68-rfpg","reference_id":"GHSA-9722-rr68-rfpg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9722-rr68-rfpg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74970?format=json","purl":"pkg:composer/october/october@1.0.466","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.466"}],"aliases":["CVE-2020-5297","GHSA-9722-rr68-rfpg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4dcg-6pa4-sfez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/48670?format=json","vulnerability_id":"VCID-4thu-npzq-7qeg","summary":"October CMS Safe Mode bypass leads to authenticated Remote Code Execution\n### Impact\n\nThis vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the \"Editor\" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request.\n\n### Patches\n\nThe issue has been patched in v2.2.34 and v3.0.66\n\n### References\n\nCredits to:\n\n-  David Miller\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35944","reference_id":"","reference_type":"","scores":[{"value":"0.00532","scoring_system":"epss","scoring_elements":"0.67563","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-35944"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:47:57Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35944","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35944"},{"reference_url":"https://github.com/advisories/GHSA-x4q7-m6fp-4v9v","reference_id":"GHSA-x4q7-m6fp-4v9v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x4q7-m6fp-4v9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/579233?format=json","purl":"pkg:composer/october/october@3.0.74","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8zm8-6yxy-t7hm"},{"vulnerability":"VCID-f74d-n6bt-jkbh"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-r8ea-d2w6-d3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.0.74"}],"aliases":["CVE-2022-35944","GHSA-x4q7-m6fp-4v9v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4thu-npzq-7qeg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49734?format=json","vulnerability_id":"VCID-5f5g-appd-sfh1","summary":"October/System authenticated file write leads to remote code execution\n### Impact\n\nAssuming an attacker with \"create, modify and delete website pages\" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup.\n\n### Patches\n\nIssue has been patched in Build 473 and v1.1.6\n\n### Workarounds\n\nApply https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26 to your installation manually if you are unable to upgrade.\n\n### References\n\nCredits to:\n• David Miller\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32649","reference_id":"","reference_type":"","scores":[{"value":"0.005","scoring_system":"epss","scoring_elements":"0.66259","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32649"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:55Z/"}],"url":"https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:56:55Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32649","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32649"},{"reference_url":"https://github.com/advisories/GHSA-wv23-pfj7-2mjj","reference_id":"GHSA-wv23-pfj7-2mjj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wv23-pfj7-2mjj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371341?format=json","purl":"pkg:composer/october/october@1.0.473","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.473"},{"url":"http://public2.vulnerablecode.io/api/packages/371342?format=json","purl":"pkg:composer/october/october@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.6"}],"aliases":["CVE-2021-32649","GHSA-wv23-pfj7-2mjj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5f5g-appd-sfh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54785?format=json","vulnerability_id":"VCID-5k49-u383-vkhf","summary":"October CMS - RainLab Blog Plugin XSS\nThe RainLab Blog Plugin used in October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7198","reference_id":"","reference_type":"","scores":[{"value":"0.01085","scoring_system":"epss","scoring_elements":"0.78185","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-7198"},{"reference_url":"http://securitywarrior9.blogspot.com/2018/02/html-injection-october-cms.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://securitywarrior9.blogspot.com/2018/02/html-injection-october-cms.html"},{"reference_url":"https://github.com/rainlab/blog-plugin","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rainlab/blog-plugin"},{"reference_url":"https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7198","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-7198"},{"reference_url":"https://www.exploit-db.com/exploits/44144","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/44144"},{"reference_url":"https://www.exploit-db.com/exploits/44144/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/44144/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/44144.txt","reference_id":"CVE-2018-7198","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/44144.txt"},{"reference_url":"https://github.com/advisories/GHSA-96mh-7xpr-qcgw","reference_id":"GHSA-96mh-7xpr-qcgw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-96mh-7xpr-qcgw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/448698?format=json","purl":"pkg:composer/october/october@1.0.432","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4dcg-6pa4-sfez"},{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-82wn-2ut5-2bds"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-cspf-cxnq-yyce"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-etwx-34mn-yqcg"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kq39-27af-g7h1"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-q59j-7dat-wfg1"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-scbz-9f86-a7e9"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.432"}],"aliases":["CVE-2018-7198","GHSA-96mh-7xpr-qcgw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5k49-u383-vkhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41082?format=json","vulnerability_id":"VCID-5qtb-bbzw-u7bh","summary":"Twig Sandbox Escape by authenticated users with access to editing CMS templates when safemode is enabled.\n### Impact\nAn authenticated backend user with the `cms.manage_pages`, `cms.manage_layouts`, or `cms.manage_partials` permissions who would **normally** not be permitted to provide PHP code to be executed by the CMS due to `cms.enableSafeMode` being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.\n\nThis is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having `cms.enableSafeMode` enabled, but would be a problem for anyone relying on `cms.enableSafeMode` to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP.\n\n### Patches\nIssue has been patched in Build 469 (v1.0.469) and v1.1.0.\n\n### Workarounds\nApply https://github.com/octobercms/october/compare/106daa2930de4cebb18732732d47d4056f01dd5b...7cb148c1677373ac30ccfd3069d18098e403e1ca to your installation manually if unable to upgrade to Build 469.\n\n### References\nReported by [ka1n4t](https://github.com/ka1n4t)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1108\" alt=\"Screen Shot 2020-10-10 at 1 21 13 PM\" src=\"https://user-images.githubusercontent.com/7253840/95663316-7de28b80-0afb-11eb-999d-a6526cf78709.png\">","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15247","reference_id":"","reference_type":"","scores":[{"value":"0.00146","scoring_system":"epss","scoring_elements":"0.34689","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15247"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-94vp-rmqv-5875","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-94vp-rmqv-5875"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15247","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15247"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/463935?format=json","purl":"pkg:composer/october/october@1.0.469","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-ppth-dna8-gqc9"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.469"}],"aliases":["CVE-2020-15247","GHSA-94vp-rmqv-5875"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5qtb-bbzw-u7bh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/58883?format=json","vulnerability_id":"VCID-5wrp-jwc9-1bas","summary":"October CMS XSS\nOctober CMS build 412 is vulnerable to stored XSS in brand logo image name resulting in JavaScript code execution in the victim's browser.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000193","reference_id":"","reference_type":"","scores":[{"value":"0.00396","scoring_system":"epss","scoring_elements":"0.60706","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000193"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/compare/v1.0.412...v1.0.413#diff-66d6dfe5e11488e1afefcb69b8bdaabfR31","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/compare/v1.0.412...v1.0.413#diff-66d6dfe5e11488e1afefcb69b8bdaabfR31"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000193","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000193"},{"reference_url":"https://github.com/advisories/GHSA-3p6c-9xhm-8x7h","reference_id":"GHSA-3p6c-9xhm-8x7h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3p6c-9xhm-8x7h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/144621?format=json","purl":"pkg:composer/october/october@1.0.413","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4dcg-6pa4-sfez"},{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5k49-u383-vkhf"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-82wn-2ut5-2bds"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-cspf-cxnq-yyce"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-etwx-34mn-yqcg"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-k7hw-hqfj-rbeh"},{"vulnerability":"VCID-kq39-27af-g7h1"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-q59j-7dat-wfg1"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-scbz-9f86-a7e9"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.413"}],"aliases":["CVE-2017-1000193","GHSA-3p6c-9xhm-8x7h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5wrp-jwc9-1bas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41353?format=json","vulnerability_id":"VCID-82wn-2ut5-2bds","summary":"Local File read vulnerability in OctoberCMS\n### Impact\nAn attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission.\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually if unable to upgrade to Build 466.\n\n### References\nReported by [Sivanesh Ashok](https://stazot.com/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1108\" alt=\"Screen Shot 2020-03-31 at 2 37 53 PM\" src=\"https://user-images.githubusercontent.com/7253840/78072989-44b3ac80-735d-11ea-8676-09c69f0409c4.png\">","references":[{"reference_url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5295","reference_id":"","reference_type":"","scores":[{"value":"0.0968","scoring_system":"epss","scoring_elements":"0.9304","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5295"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Aug/2","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Aug/2"},{"reference_url":"https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-r23f-c2j5-rx2f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5295","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5295"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49045.sh","reference_id":"CVE-2020-5295","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/49045.sh"},{"reference_url":"https://github.com/advisories/GHSA-r23f-c2j5-rx2f","reference_id":"GHSA-r23f-c2j5-rx2f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r23f-c2j5-rx2f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74970?format=json","purl":"pkg:composer/october/october@1.0.466","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.466"}],"aliases":["CVE-2020-5295","GHSA-r23f-c2j5-rx2f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-82wn-2ut5-2bds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/43010?format=json","vulnerability_id":"VCID-9d93-weag-gkcw","summary":"October CMS Session ID not invalidated after logout\n### Impact\nWhen logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.\n\n### Patches\nIssue has been patched in Build 472 (v1.0.472) and v1.1.2.\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.\n\n### References\n- Reported by Anisio (Brazilian Information Security Analyst)\n- http://cve.circl.lu/cve/CVE-2021-3311\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"699\" alt=\"Screen Shot 2021-02-07 at 11 50 35 PM\" src=\"https://user-images.githubusercontent.com/7253840/107180881-51eaf000-699f-11eb-8828-333128faf2a6.png\">","references":[{"reference_url":"http://cve.circl.lu/cve/CVE-2021-3311","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://cve.circl.lu/cve/CVE-2021-3311"},{"reference_url":"https://anisiosantos.me/october-cms-token-reactivation","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://anisiosantos.me/october-cms-token-reactivation"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3311","reference_id":"","reference_type":"","scores":[{"value":"0.01522","scoring_system":"epss","scoring_elements":"0.81554","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-3311"},{"reference_url":"https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3311","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3311"},{"reference_url":"https://octobercms.com/forum/chan/announcements","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://octobercms.com/forum/chan/announcements"},{"reference_url":"https://packagist.org/packages/october/rain","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/october/rain"},{"reference_url":"https://github.com/advisories/GHSA-7ggw-h8pp-r95r","reference_id":"GHSA-7ggw-h8pp-r95r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-7ggw-h8pp-r95r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371468?format=json","purl":"pkg:composer/october/october@1.0.475","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.475"}],"aliases":["CVE-2021-3311","GHSA-7ggw-h8pp-r95r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9d93-weag-gkcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40921?format=json","vulnerability_id":"VCID-cspf-cxnq-yyce","summary":"Stored XSS in October\n### Impact\nA user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the `backend.allow_unsafe_markdown` permission.\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746 & https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94 to your installation manually if unable to upgrade to Build 466 or v1.4.1 of RainLab.Blog (if using that plugin).\n\n### References\nReported by [Sivanesh Ashok](https://stazot.com/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1100\" alt=\"Screen Shot 2020-03-31 at 2 01 52 PM\" src=\"https://user-images.githubusercontent.com/7253840/78070158-8f7ef580-7358-11ea-950c-226533f6a0a3.png\">","references":[{"reference_url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11083","reference_id":"","reference_type":"","scores":[{"value":"0.00917","scoring_system":"epss","scoring_elements":"0.76263","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-11083"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Aug/2","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Aug/2"},{"reference_url":"https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv"},{"reference_url":"https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11083","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11083"},{"reference_url":"https://github.com/advisories/GHSA-w4pj-7p68-3vgv","reference_id":"GHSA-w4pj-7p68-3vgv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w4pj-7p68-3vgv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74970?format=json","purl":"pkg:composer/october/october@1.0.466","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.466"}],"aliases":["CVE-2020-11083","GHSA-w4pj-7p68-3vgv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cspf-cxnq-yyce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46272?format=json","vulnerability_id":"VCID-d5fw-ewdh-qfh2","summary":"Bypass of fix for CVE-2020-26231, Twig sandbox escape\n### Impact\nA bypass of CVE-2020-26231 (fixed in 1.0.470/471 and 1.1.1) was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247:\n\nAn authenticated backend user with the `cms.manage_pages`, `cms.manage_layouts`, or `cms.manage_partials` permissions who would **normally** not be permitted to provide PHP code to be executed by the CMS due to `cms.enableSafeMode` being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.\n\nThis is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having `cms.enableSafeMode` enabled, but would be a problem for anyone relying on `cms.enableSafeMode` to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP.\n\n### Patches\nIssue has been patched in Build 472 (v1.0.472) and v1.1.2.\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/f63519ff1e8d375df30deba63156a2fc97aa9ee7 to your installation manually if unable to upgrade to Build 472 or v1.1.2.\n\n### References\nReported by [ka1n4t](https://github.com/ka1n4t)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1108\" alt=\"Screen Shot 2020-10-10 at 1 21 13 PM\" src=\"https://user-images.githubusercontent.com/7253840/95663316-7de28b80-0afb-11eb-999d-a6526cf78709.png\">","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21264","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10379","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21264"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-fcr8-6q7r-m4wg","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-fcr8-6q7r-m4wg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21264","reference_id":"","reference_type":"","scores":[{"value":"5.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21264"},{"reference_url":"https://github.com/advisories/GHSA-fcr8-6q7r-m4wg","reference_id":"GHSA-fcr8-6q7r-m4wg","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fcr8-6q7r-m4wg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/370803?format=json","purl":"pkg:composer/october/october@1.0.472","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-m7hp-wwpj-akdh"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.472"},{"url":"http://public2.vulnerablecode.io/api/packages/475853?format=json","purl":"pkg:composer/october/october@1.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-w6b6-j14y-x3ej"},{"vulnerability":"VCID-x939-am9t-dkc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.2"}],"aliases":["CVE-2021-21264","GHSA-fcr8-6q7r-m4wg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5fw-ewdh-qfh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61834?format=json","vulnerability_id":"VCID-etwx-34mn-yqcg","summary":"October CMS Local File Inclusion\nOctober CMS version prior to Build 437 contains a Local File Inclusion vulnerability in [modules/system/traits/ViewMaker.php](https://github.com/octobercms/october/blob/v1.0.436/modules/system/traits/ViewMaker.php#L244) (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend path is accessible. This vulnerability appears to have been fixed in Build 437.","references":[{"reference_url":"http://octobercms.com/support/article/rn-10","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://octobercms.com/support/article/rn-10"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1999009","reference_id":"","reference_type":"","scores":[{"value":"0.01798","scoring_system":"epss","scoring_elements":"0.83093","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1999009"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1999009","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1999009"},{"reference_url":"https://github.com/advisories/GHSA-v7cr-w5v6-6659","reference_id":"GHSA-v7cr-w5v6-6659","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v7cr-w5v6-6659"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/181038?format=json","purl":"pkg:composer/october/october@1.0.437","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4dcg-6pa4-sfez"},{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-82wn-2ut5-2bds"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-cspf-cxnq-yyce"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kq39-27af-g7h1"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-q59j-7dat-wfg1"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-scbz-9f86-a7e9"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.437"}],"aliases":["CVE-2018-1999009","GHSA-v7cr-w5v6-6659"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-etwx-34mn-yqcg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/60889?format=json","vulnerability_id":"VCID-g3kw-u9bw-2ygf","summary":"October CMS File Upload Vulnerability\nOctober CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000194","reference_id":"","reference_type":"","scores":[{"value":"0.00411","scoring_system":"epss","scoring_elements":"0.61686","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-1000194"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/compare/v1.0.412...v1.0.413#diff-c328b7b99eac0d17b3c71eb37038fd61R224","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/compare/v1.0.412...v1.0.413#diff-c328b7b99eac0d17b3c71eb37038fd61R224"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000194","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-1000194"},{"reference_url":"https://github.com/advisories/GHSA-8vh6-8w76-v6m3","reference_id":"GHSA-8vh6-8w76-v6m3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8vh6-8w76-v6m3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/144621?format=json","purl":"pkg:composer/october/october@1.0.413","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4dcg-6pa4-sfez"},{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5k49-u383-vkhf"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-82wn-2ut5-2bds"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-cspf-cxnq-yyce"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-etwx-34mn-yqcg"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-k7hw-hqfj-rbeh"},{"vulnerability":"VCID-kq39-27af-g7h1"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-q59j-7dat-wfg1"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-scbz-9f86-a7e9"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.413"}],"aliases":["CVE-2017-1000194","GHSA-8vh6-8w76-v6m3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3kw-u9bw-2ygf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50597?format=json","vulnerability_id":"VCID-g3nd-w64m-bkf3","summary":"Authenticated remote code execution in October CMS\n### Impact\n\nAn authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass  `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code.\n\n- This issue only affects admin panels that rely on safe mode and restricted permissions.\n- To exploit this vulnerability, an attacker must first have access to the backend area.\n\n### Patches\n\nThe issue has been patched in Build 474 (v1.0.474) and v1.1.10.\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10.\n\n### References\n\nCredits to:\n- David Miller\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21705","reference_id":"","reference_type":"","scores":[{"value":"0.70336","scoring_system":"epss","scoring_elements":"0.98708","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-21705"},{"reference_url":"https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:38Z/"}],"url":"https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:55:38Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21705","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21705"},{"reference_url":"https://github.com/advisories/GHSA-79jw-2f46-wv22","reference_id":"GHSA-79jw-2f46-wv22","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-79jw-2f46-wv22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371462?format=json","purl":"pkg:composer/october/october@1.0.474","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.474"},{"url":"http://public2.vulnerablecode.io/api/packages/371463?format=json","purl":"pkg:composer/october/october@1.1.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.10"},{"url":"http://public2.vulnerablecode.io/api/packages/371464?format=json","purl":"pkg:composer/october/october@2.1.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@2.1.27"}],"aliases":["CVE-2022-21705","GHSA-79jw-2f46-wv22"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3nd-w64m-bkf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7813?format=json","vulnerability_id":"VCID-hdfk-vgs3-jbc6","summary":"October allows an admin account to upload PDF containing malicious JavaScript\nOctober 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45962","reference_id":"","reference_type":"","scores":[{"value":"0.0027","scoring_system":"epss","scoring_elements":"0.50593","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-45962"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"1.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://grimthereaperteam.medium.com/october-cms-3-6-30-stored-xss-ddf2be7a226e","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"1.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T20:33:25Z/"}],"url":"https://grimthereaperteam.medium.com/october-cms-3-6-30-stored-xss-ddf2be7a226e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45962","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"1.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45962"},{"reference_url":"https://github.com/advisories/GHSA-hxpp-g76m-qhvg","reference_id":"GHSA-hxpp-g76m-qhvg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hxpp-g76m-qhvg"}],"fixed_packages":[],"aliases":["CVE-2024-45962","GHSA-hxpp-g76m-qhvg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hdfk-vgs3-jbc6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/61841?format=json","vulnerability_id":"VCID-k7hw-hqfj-rbeh","summary":"October CMS CSRF\nCross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16244","reference_id":"","reference_type":"","scores":[{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61177","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-16244"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16244","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-16244"},{"reference_url":"https://www.exploit-db.com/exploits/43106","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.exploit-db.com/exploits/43106"},{"reference_url":"https://www.exploit-db.com/exploits/43106/","reference_id":"","reference_type":"","scores":[],"url":"https://www.exploit-db.com/exploits/43106/"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/43106.txt","reference_id":"CVE-2017-16244","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/43106.txt"},{"reference_url":"https://github.com/advisories/GHSA-vm6r-4p4v-232x","reference_id":"GHSA-vm6r-4p4v-232x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vm6r-4p4v-232x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/181107?format=json","purl":"pkg:composer/october/october@1.0.427","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4dcg-6pa4-sfez"},{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5k49-u383-vkhf"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-82wn-2ut5-2bds"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-cspf-cxnq-yyce"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-etwx-34mn-yqcg"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kq39-27af-g7h1"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-q59j-7dat-wfg1"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-scbz-9f86-a7e9"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.427"}],"aliases":["CVE-2017-16244","GHSA-vm6r-4p4v-232x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k7hw-hqfj-rbeh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41312?format=json","vulnerability_id":"VCID-kq39-27af-g7h1","summary":"Reflected XSS when importing CSV in OctoberCMS\n### Impact\nA user with the ability to use the import functionality of the `ImportExportController` behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.\n\n### References\nReported by [Sivanesh Ashok](https://stazot.com/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1100\" alt=\"Screen Shot 2020-03-31 at 2 01 52 PM\" src=\"https://user-images.githubusercontent.com/7253840/78070158-8f7ef580-7358-11ea-950c-226533f6a0a3.png\">","references":[{"reference_url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5298","reference_id":"","reference_type":"","scores":[{"value":"0.00759","scoring_system":"epss","scoring_elements":"0.73623","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5298"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Aug/2","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Aug/2"},{"reference_url":"https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5298","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5298"},{"reference_url":"https://github.com/advisories/GHSA-gg6x-xx78-448c","reference_id":"GHSA-gg6x-xx78-448c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gg6x-xx78-448c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74970?format=json","purl":"pkg:composer/october/october@1.0.466","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.466"}],"aliases":["CVE-2020-5298","GHSA-gg6x-xx78-448c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kq39-27af-g7h1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40833?format=json","vulnerability_id":"VCID-kvcv-vnpf-b3dx","summary":"Reliance on Cookies without validation in OctoberCMS\n### Impact\nPreviously encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. \n\nSpecifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. \n\n### Patches\nIssue has been patched in Build 468 (v1.0.468).\n\n>**NOTE**: If you are using the cookie session driver, all of your session data will be invalidated. All other session drivers should smoothly upgrade to the changes (although the backend authentication persist cookie will also be invalidated requiring users to login again once their current session expires).\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c to your installation manually if unable to upgrade to Build 468.\n\n### References\n- https://blog.laravel.com/laravel-cookie-security-releases\n- https://github.com/laravel/framework/compare/4c7d118181d6c7f1f883643702df807ced016c5e...a731824421f9ebc586728ea9c7cff231a249aaa9\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\nAssessed as Low given that it is not directly exploitable within the core but requires other security vulnerabilities within the application to have an effect and the severity of its effect depends entirely on the severity of those other holes in the application's defences.\n\n### Acknowledgements\n\nThanks to [Takashi Terada of Mitsui Bussan Secure Directions, Inc.](https://www.linkedin.com/in/takeshi-terada-b570a6100/) for finding the original issue in Laravel and @taylorotwell for sharing the report with the October CMS team.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15128","reference_id":"","reference_type":"","scores":[{"value":"0.00113","scoring_system":"epss","scoring_elements":"0.29575","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15128"},{"reference_url":"https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c"},{"reference_url":"https://github.com/octobercms/library/pull/508","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/pull/508"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15128","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15128"},{"reference_url":"https://github.com/advisories/GHSA-55mm-5399-7r63","reference_id":"GHSA-55mm-5399-7r63","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-55mm-5399-7r63"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/452771?format=json","purl":"pkg:composer/october/october@1.0.468","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.468"}],"aliases":["CVE-2020-15128","GHSA-55mm-5399-7r63"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kvcv-vnpf-b3dx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/34455?format=json","vulnerability_id":"VCID-ntdm-ne1n-hue7","summary":"October CMS Allows Unprotected SVG Rename in Media Manager\n### Impact\n\nThis advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension.\n\nThis vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user.\n\n### Patches\n\nThis issue has been patched in v3.7.5.\n\n### References\n\nCredits to:\n- [Cyber-Wo0dy](https://github.com/Cyber-Wo0dy)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-51991","reference_id":"","reference_type":"","scores":[{"value":"0.00313","scoring_system":"epss","scoring_elements":"0.54668","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-51991"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-05T18:06:02Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51991","reference_id":"","reference_type":"","scores":[{"value":"1.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-51991"},{"reference_url":"https://github.com/advisories/GHSA-96hh-8hx5-cpw7","reference_id":"GHSA-96hh-8hx5-cpw7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-96hh-8hx5-cpw7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/781824?format=json","purl":"pkg:composer/october/october@3.7.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.7.10"},{"url":"http://public2.vulnerablecode.io/api/packages/66817?format=json","purl":"pkg:composer/october/october@3.7.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.7.5"}],"aliases":["CVE-2024-51991","GHSA-96hh-8hx5-cpw7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ntdm-ne1n-hue7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41339?format=json","vulnerability_id":"VCID-q59j-7dat-wfg1","summary":"Arbitrary File Deletion vulnerability in OctoberCMS\n### Impact\nAn attacker can exploit this vulnerability to delete arbitrary local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the `cms.manage_assets` permission.\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually if unable to upgrade to Build 466.\n\n### References\nReported by [Sivanesh Ashok](https://stazot.com/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1241\" alt=\"Screen Shot 2020-03-31 at 12 16 53 PM\" src=\"https://user-images.githubusercontent.com/7253840/78060872-89354d00-7349-11ea-8c2b-5881b0a50736.png\">","references":[{"reference_url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5296","reference_id":"","reference_type":"","scores":[{"value":"0.00618","scoring_system":"epss","scoring_elements":"0.70292","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5296"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Aug/2","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Aug/2"},{"reference_url":"https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-jv6v-fvvx-4932"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5296","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5296"},{"reference_url":"https://github.com/advisories/GHSA-jv6v-fvvx-4932","reference_id":"GHSA-jv6v-fvvx-4932","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jv6v-fvvx-4932"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74970?format=json","purl":"pkg:composer/october/october@1.0.466","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.466"}],"aliases":["CVE-2020-5296","GHSA-jv6v-fvvx-4932"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q59j-7dat-wfg1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44123?format=json","vulnerability_id":"VCID-qqn7-pr5q-ukb8","summary":"October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers\n### Impact\nWhen running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:\n- https://portswigger.net/web-security/host-header\n- https://dzone.com/articles/what-is-a-host-header-attack\n\n### Patches\n\nA feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.\n\n### Workarounds\n\n- Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 & https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.\n\n- Check that the configuration setting `cms.linkPolicy` is set to `force`.\n\n### Alternative Workaround\n\nCheck to make sure that your web server does not accept any hostname when serving your web application.\n\n1. Add an entry called `testing.tld` to your computer's host file and direct it to your server's IP address\n2. Open the address `testing.tld` in your web browser\n3. Make sure an October CMS website is not available at this address\n\nIf an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.\n\n### References\n\nReported by [Abdullah Hussam](https://github.com/ahussam)\n\n### For More Information\n\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\n<img width=\"1108\" alt=\"Screen Shot 2021-01-15 at 4 12 57 PM\" src=\"https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png\">","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21265","reference_id":"","reference_type":"","scores":[{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66664","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21265"},{"reference_url":"https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d"},{"reference_url":"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"},{"reference_url":"https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30"},{"reference_url":"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21265","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21265"},{"reference_url":"https://packagist.org/packages/october/backend","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/october/backend"},{"reference_url":"https://github.com/advisories/GHSA-xhfx-hgmf-v6vp","reference_id":"GHSA-xhfx-hgmf-v6vp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xhfx-hgmf-v6vp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/475853?format=json","purl":"pkg:composer/october/october@1.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-w6b6-j14y-x3ej"},{"vulnerability":"VCID-x939-am9t-dkc5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.2"}],"aliases":["CVE-2021-21265","GHSA-xhfx-hgmf-v6vp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qqn7-pr5q-ukb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41046?format=json","vulnerability_id":"VCID-rf1k-5u6t-3fa5","summary":"Stored XSS by authenticated backend user with access to upload files\n### Impact\nBackend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed.\n\n### Patches\nIssue has been patched in Build 469 (v1.0.469) & v1.1.0.\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4 to your installation manually if unable to upgrade to Build 469 or v1.1.0.\n\n### References\nReported by [Hoan Hoang](https://github.com/hoanhp)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1107\" alt=\"Screen Shot 2020-10-10 at 1 47 49 PM\" src=\"https://user-images.githubusercontent.com/7253840/95663787-378f2b80-0aff-11eb-8dfc-b97d162939da.png\">","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15249","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37324","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15249"},{"reference_url":"https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15249","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15249"},{"reference_url":"https://github.com/advisories/GHSA-fx3v-553x-3c4q","reference_id":"GHSA-fx3v-553x-3c4q","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fx3v-553x-3c4q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/463935?format=json","purl":"pkg:composer/october/october@1.0.469","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-ppth-dna8-gqc9"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.469"}],"aliases":["CVE-2020-15249","GHSA-fx3v-553x-3c4q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rf1k-5u6t-3fa5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50638?format=json","vulnerability_id":"VCID-s7nn-tyj8-wkhw","summary":"Missing server signature validation in OctoberCMS\n### Impact\n\nThis advisory affects authors of plugins and themes listed on the October CMS marketplace where an end-user will inadvertently expose authors to potential financial loss by entering their private license key into a compromised server.\n\nIt has been disclosed that a project fork of October CMS v1.0 is using a compromised gateway to access the October CMS marketplace service. The compromised gateway captures the personal/business information of users and authors, including private source code files. It was also disclosed that captured plugin files are freely redistributed to other users without authorization.\n\n1. End-users are provided with a forked version of October CMS v1.0. The provided software is modified to use a compromised gateway server.\n\n2. The user is instructed to enter their October CMS license key into the administration panel to access the October CMS marketplace. The key is sent to the compromised server while appearing to access the genuine October CMS gateway server.\n\n3. The compromised gateway server uses a \"man in the middle\" mechanism that captures information while forwarding the request to the genuine October CMS gateway and relaying the response back to the client.\n\n4. The compromised gateway server stores the license key and other information about the user account including client name, email address and contents of purchased plugins and privately uploaded plugin files. \n\n5. The stored plugin files are made available to other users of the compromised gateway server.\n\n### Patches\n\nThe issue has been patched in Build 475 (v1.0.475) and v1.1.11.\n\n### Workarounds\n\nApply https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a to your installation manually if unable to upgrade to Build 475 or v1.1.11.\n\n### Recommendations\n\nWe recommend the following steps to make sure your account information stays secure:\n\n- Do not share your license key with anyone except October CMS.\n- Check to make sure that your gateway update server has not been modified.\n- Be aware of phishing websites, including other platforms that use the same appearance.\n- For authors, you may contact us for help requesting the removal of affected plugins.\n- Before providing plugin support, verify that the user holds a legitimate copy of the plugin.\n\n### References\n\nCredits for research on this exploit:\n• Nikita Khaetsky\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23655","reference_id":"","reference_type":"","scores":[{"value":"0.00142","scoring_system":"epss","scoring_elements":"0.34019","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23655"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/"}],"url":"https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:10:01Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23655","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23655"},{"reference_url":"https://github.com/advisories/GHSA-53m6-44rc-h2q5","reference_id":"GHSA-53m6-44rc-h2q5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-53m6-44rc-h2q5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/371468?format=json","purl":"pkg:composer/october/october@1.0.475","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.475"},{"url":"http://public2.vulnerablecode.io/api/packages/371469?format=json","purl":"pkg:composer/october/october@1.1.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.11"}],"aliases":["CVE-2022-23655","GHSA-53m6-44rc-h2q5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s7nn-tyj8-wkhw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41252?format=json","vulnerability_id":"VCID-scbz-9f86-a7e9","summary":"Potential CSV Injection vector in OctoberCMS\n### Impact\nAny users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: \n\n1. Have found a vulnerability in the victim's spreadsheet software of choice.\n2. Control data that would potentially be exported through the `ImportExportController` by a theoretical victim.\n3. Convince the victim to export above data as a CSV and run it in vulnerable spreadsheet software while also bypassing any sanity checks by said software.\n\n### Patches\nIssue has been patched in Build 466 (v1.0.466).\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a & https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484 to your installation manually if unable to upgrade to Build 466.\n\n### References\nReported by @chrisvidal initially & [Sivanesh Ashok](https://stazot.com/) later.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\nGiven the number of hoops that a potential attacker would have to jump through, this vulnerability really boils down to the possibility of abusing the trust that a user may have in the export functionality of the project. Thus, this has been rated low severity as it requires vulnerabilities to also exist in other software used by any potential victims as well as successful social engineering attacks.","references":[{"reference_url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5299","reference_id":"","reference_type":"","scores":[{"value":"0.00673","scoring_system":"epss","scoring_elements":"0.71745","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-5299"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Aug/2","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Aug/2"},{"reference_url":"https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/c84bf03f506052c848f2fddc05f24be631427a1a"},{"reference_url":"https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/802d8c8e09a2b342649393edb6d3ceb958851484"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-4rhm-m2fp-hx7q"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5299","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5299"},{"reference_url":"https://github.com/advisories/GHSA-4rhm-m2fp-hx7q","reference_id":"GHSA-4rhm-m2fp-hx7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4rhm-m2fp-hx7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74970?format=json","purl":"pkg:composer/october/october@1.0.466","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"},{"vulnerability":"VCID-z77m-gq6n-4bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.466"}],"aliases":["CVE-2020-5299","GHSA-4rhm-m2fp-hx7q"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-scbz-9f86-a7e9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52232?format=json","vulnerability_id":"VCID-u8t7-har2-17fn","summary":"October CMS upload process vulnerable to RCE via Race Condition\n### Impact\n\nThis advisory affects plugins that expose the `October\\Rain\\Database\\Attach\\File::fromData` as a public interface. This vulnerability does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally.\n\nWhen the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory.\n\n### Patches\n\nThe issue has been patched in Build 476 (v1.0.476) and v1.1.12 and v2.2.15.\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83 to your installation manually if unable to upgrade to Build 476 (v1.0.476) or v1.1.12 or v2.2.15.\n\n### References\n\nCredits to:\n- DucNT, HungTD and GiangVQ from RedTeam@VNG Security Response Center.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24800","reference_id":"","reference_type":"","scores":[{"value":"0.02925","scoring_system":"epss","scoring_elements":"0.86647","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24800"},{"reference_url":"https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/"}],"url":"https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T15:51:41Z/"}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24800","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24800"},{"reference_url":"https://github.com/advisories/GHSA-8v7h-cpc2-r8jp","reference_id":"GHSA-8v7h-cpc2-r8jp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8v7h-cpc2-r8jp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/562162?format=json","purl":"pkg:composer/october/october@1.0.476","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.476"},{"url":"http://public2.vulnerablecode.io/api/packages/562163?format=json","purl":"pkg:composer/october/october@1.1.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.1.12"},{"url":"http://public2.vulnerablecode.io/api/packages/374039?format=json","purl":"pkg:composer/october/october@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-8zm8-6yxy-t7hm"},{"vulnerability":"VCID-f74d-n6bt-jkbh"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-r8ea-d2w6-d3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@3.0.0"}],"aliases":["CVE-2022-24800","GHSA-8v7h-cpc2-r8jp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u8t7-har2-17fn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41052?format=json","vulnerability_id":"VCID-wc6k-k8g6-akct","summary":"Privilege escalation by backend users assigned to the default \"Publisher\" system role\n### Impact\nBackend users with the default \"Publisher\" system role have access to create & manage users where they can choose which role the new user has. This means that a user with \"Publisher\" access has the ability to escalate their access to \"Developer\" access. \n\n### Patches\nIssue has been patched in Build 470 (v1.0.470) & v1.1.1.\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829 to your installation manually if unable to upgrade to Build 470 or v1.1.1.\n\n### References\nReported by [Hoan Hoang](https://github.com/hoanhp)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n<img width=\"1098\" alt=\"Screen Shot 2020-10-10 at 1 37 25 PM\" src=\"https://user-images.githubusercontent.com/7253840/95663611-e6326c80-0afd-11eb-8a1e-8b767a7202fb.png\">","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15248","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15495","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15248"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982"},{"reference_url":"https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15248","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15248"},{"reference_url":"https://github.com/advisories/GHSA-rfjc-xrmf-5vvw","reference_id":"GHSA-rfjc-xrmf-5vvw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rfjc-xrmf-5vvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/463935?format=json","purl":"pkg:composer/october/october@1.0.469","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-ppth-dna8-gqc9"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.469"}],"aliases":["CVE-2020-15248","GHSA-rfjc-xrmf-5vvw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wc6k-k8g6-akct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41133?format=json","vulnerability_id":"VCID-z77m-gq6n-4bd5","summary":"Cross-site Scripting in October\n### Impact\nPasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.\n\n### Patches\nIssue has been patched in Build 467 (v1.0.467).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467.\n\n### References\n- https://research.securitum.com/the-curious-case-of-copy-paste/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\nAssessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious websites.\n\n### Acknowledgements\n\nThanks to [Michał Bentkowski of Securitum](https://research.securitum.com/authors/michal-bentkowski/) for finding the original issue in Froala and @tomaszstrojny for reporting the issue to the October CMS team.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-4061","reference_id":"","reference_type":"","scores":[{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54327","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-4061"},{"reference_url":"https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vg","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vg"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4061","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-4061"},{"reference_url":"https://research.securitum.com/the-curious-case-of-copy-paste","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://research.securitum.com/the-curious-case-of-copy-paste"},{"reference_url":"https://research.securitum.com/the-curious-case-of-copy-paste/","reference_id":"","reference_type":"","scores":[],"url":"https://research.securitum.com/the-curious-case-of-copy-paste/"},{"reference_url":"https://github.com/advisories/GHSA-3pc2-fm7p-q2vg","reference_id":"GHSA-3pc2-fm7p-q2vg","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3pc2-fm7p-q2vg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/450223?format=json","purl":"pkg:composer/october/october@1.0.467","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4thu-npzq-7qeg"},{"vulnerability":"VCID-5f5g-appd-sfh1"},{"vulnerability":"VCID-5qtb-bbzw-u7bh"},{"vulnerability":"VCID-7n8x-v7ax-gfa8"},{"vulnerability":"VCID-9d93-weag-gkcw"},{"vulnerability":"VCID-d5fw-ewdh-qfh2"},{"vulnerability":"VCID-g3nd-w64m-bkf3"},{"vulnerability":"VCID-hdfk-vgs3-jbc6"},{"vulnerability":"VCID-kvcv-vnpf-b3dx"},{"vulnerability":"VCID-ntdm-ne1n-hue7"},{"vulnerability":"VCID-qqn7-pr5q-ukb8"},{"vulnerability":"VCID-rf1k-5u6t-3fa5"},{"vulnerability":"VCID-s7nn-tyj8-wkhw"},{"vulnerability":"VCID-u8t7-har2-17fn"},{"vulnerability":"VCID-wc6k-k8g6-akct"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.467"}],"aliases":["CVE-2020-4061","GHSA-3pc2-fm7p-q2vg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z77m-gq6n-4bd5"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/october@1.0.410"}