CVE-2020-11094

Name of the Vulnerable Software and Affected Versions October CMS debugbar plugin versions prior to 3.1.0

Description The October CMS debugbar plugin contains a feature that logs all requests, including session data, when enabled. This poses a problem if the plugin is enabled on a system accessible to untrusted users, as they could use this feature to view requests and obtain sensitive information, potentially leading to account takeovers of authenticated users. An attacker could theoretically gain full access to the system if the required conditions exist.

Recommendations For versions prior to 3.1.0, update to version 3.1.0 or later, which locks down access to the debugbar and restricts the feature that allows access to stored request information behind a more restrictive permission. Alternatively, apply the patch manually from https://github.com/rainlab/debugbar-plugin/commit/86dd29f9866d712de7d98f5f9dc67751b82ecd18 if unable to upgrade to v3.1.0.