CVE-2020-5295

Name of the Vulnerable Software and Affected Versions OctoberCMS versions 1.0.319 through 1.0.465

Description An attacker can exploit this issue to read local files of an October CMS server. The issue is only exploitable by an authenticated backend user with the cms.manage assets permission.

Recommendations For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround for versions that cannot be updated to Build 466, apply the patch from https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually.