{"url":"http://public2.vulnerablecode.io/api/packages/79207?format=json","purl":"pkg:composer/october/backend@1.0.469","type":"composer","namespace":"october","name":"backend","version":"1.0.469","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.1.2","latest_non_vulnerable_version":"1.1.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54154?format=json","vulnerability_id":"VCID-a3cc-swkj-cue8","summary":"October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers\nWhen running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:\n- https://portswigger.net/web-security/host-header\n- https://dzone.com/articles/what-is-a-host-header-attack","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21265","reference_id":"","reference_type":"","scores":[{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66767","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66731","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66772","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66779","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66765","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0051","scoring_system":"epss","scoring_elements":"0.66749","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-21265"},{"reference_url":"https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d"},{"reference_url":"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"},{"reference_url":"https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30"},{"reference_url":"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"},{"reference_url":"https://packagist.org/packages/october/backend","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://packagist.org/packages/october/backend"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21265","reference_id":"CVE-2021-21265","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21265"},{"reference_url":"https://github.com/advisories/GHSA-xhfx-hgmf-v6vp","reference_id":"GHSA-xhfx-hgmf-v6vp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xhfx-hgmf-v6vp"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp","reference_id":"GHSA-xhfx-hgmf-v6vp","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79934?format=json","purl":"pkg:composer/october/backend@1.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/backend@1.1.2"}],"aliases":["CVE-2021-21265","GHSA-xhfx-hgmf-v6vp"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a3cc-swkj-cue8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53821?format=json","vulnerability_id":"VCID-tu2z-fxdj-d7ac","summary":"Incorrect Authorization\nOctober is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with the default \"Publisher\" system role have access to create & manage users where they can choose which role the new user has. This means that a user with \"Publisher\" access has the ability to escalate their access to \"Developer\" access.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15248","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15493","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15435","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15409","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15458","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15541","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15532","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15248"},{"reference_url":"https://github.com/octobercms/october","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october"},{"reference_url":"https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982"},{"reference_url":"https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/commit/78a37298a4ed4602b383522344a31e311402d829"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15248","reference_id":"CVE-2020-15248","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15248"},{"reference_url":"https://github.com/advisories/GHSA-rfjc-xrmf-5vvw","reference_id":"GHSA-rfjc-xrmf-5vvw","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rfjc-xrmf-5vvw"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw","reference_id":"GHSA-rfjc-xrmf-5vvw","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-rfjc-xrmf-5vvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79205?format=json","purl":"pkg:composer/october/backend@1.0.470","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a3cc-swkj-cue8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/backend@1.0.470"}],"aliases":["CVE-2020-15248","GHSA-rfjc-xrmf-5vvw"],"risk_score":1.8,"exploitability":"0.5","weighted_severity":"3.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tu2z-fxdj-d7ac"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53822?format=json","vulnerability_id":"VCID-t976-3r1h-gye3","summary":"Cross-site Scripting\nOctober is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (`i.e.` `/storage/app/media/evil.svg)`, but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15249","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37341","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37299","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.3739","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37396","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37365","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37328","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15249"},{"reference_url":"https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15249","reference_id":"CVE-2020-15249","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15249"},{"reference_url":"https://github.com/advisories/GHSA-fx3v-553x-3c4q","reference_id":"GHSA-fx3v-553x-3c4q","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fx3v-553x-3c4q"},{"reference_url":"https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q","reference_id":"GHSA-fx3v-553x-3c4q","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/octobercms/october/security/advisories/GHSA-fx3v-553x-3c4q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79207?format=json","purl":"pkg:composer/october/backend@1.0.469","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a3cc-swkj-cue8"},{"vulnerability":"VCID-tu2z-fxdj-d7ac"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/backend@1.0.469"}],"aliases":["CVE-2020-15249","GHSA-fx3v-553x-3c4q"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-t976-3r1h-gye3"}],"risk_score":"1.8","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/october/backend@1.0.469"}