Home > Vulnerability Database > CVE-2020-5298

Mend.io Vulnerability Database

CVE-2020-5298

Date: June 3, 2020

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the "ImportExportController" behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).

Language: PHP

Severity Score

4.0

Related Resources (6)

Url: http://seclists.org/fulldisclosure/2020/Aug/2

Url: https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c

Url: http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-5298

Url: https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c

Url: https://www.mend.io/vulnerability-database/CVE-2020-5298

Severity Score

4.0

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Alternate XSS Syntax

CWE-87

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-5298

Date: June 3, 2020

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?