October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default Publisher system role have access to create & manage users where they can choose which role the new user has. This means that a user with Publisher access has the ability to escalate their access to Developer access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Name | Vendor | Start Version | End Version |
---|---|---|---|
October | Octobercms | 1.0.319 (including) | 1.0.469 (excluding) |