CVE-2017-16941

Name of the Vulnerable Software and Affected Versions October CMS versions 1.0.0 through 1.0.428

Description The issue allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. The vendor has expressed that they do not consider an attacker with access to manage/upload themes a significant threat model.

Recommendations For October CMS versions 1.0.0 through 1.0.428, consider restricting access to the theme management feature to minimize the risk of exploitation. As a temporary workaround, avoid using the /backend/cms/themes endpoint to download and upload theme ZIP archives until a patch is available. Restrict access to the .htaccess file in themes to prevent arbitrary PHP code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.