CVE Vulnerabilities

CVE-2020-15248

Improper Privilege Management

Published: Nov 23, 2020 | Modified: Nov 18, 2021
CVSS 3.x
4.2
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CVSS 2.x
4.6 MEDIUM
AV:L/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default Publisher system role have access to create & manage users where they can choose which role the new user has. This means that a user with Publisher access has the ability to escalate their access to Developer access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
October Octobercms 1.0.319 (including) 1.0.469 (excluding)

Potential Mitigations

References