CVE-2020-5296

Name of the Vulnerable Software and Affected Versions OctoberCMS versions 1.0.319 through 1.0.465

Description An attacker can exploit this issue to delete arbitrary local files of an October CMS server. The issue is only exploitable by an authenticated backend user with the cms.manage assets permission.

Recommendations For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, consider applying the patch from https://github.com/octobercms/october/commit/2b8939cc8b5b6fe81e093fe2c9f883ada4e3c8cc to your installation manually if unable to upgrade to Build 466.