CVE-2020-15128

Name of the Vulnerable Software and Affected Versions OctoberCMS versions prior to 1.0.468

Description The issue concerns encrypted cookie values not being tied to the name of the cookie, potentially allowing certain classes of attacks to succeed if other vulnerabilities in user-facing code are present. Specifically, if user input is stored in a cookie and returned to the user, they could use the generated cookie in place of more tightly controlled cookies. Alternatively, if the plaintext version of an encrypted cookie is exposed to the user, they could provide encrypted content from the application back to it as an encrypted cookie, forcing the framework to decrypt it.

Recommendations For versions prior to 1.0.468, update to version 1.0.468 or later to fix the issue. As a temporary workaround, consider applying the patch from https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c to your installation manually if unable to upgrade to Build 468. Note that if using the cookie session driver, all session data will be invalidated, and users will need to log in again once their current session expires.