CVE-2020-5297

Name of the Vulnerable Software and Affected Versions OctoberCMS versions 1.0.319 through 1.0.465

Description An attacker can exploit this issue to upload various file types, including jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, and xml files, to any directory of an October CMS server. The issue is only exploitable by an authenticated backend user with the cms.manage assets permission.

Recommendations For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, consider applying the patch from https://github.com/octobercms/october/commit/6711dae8ef70caf0e94cec434498012a2ccd86b8 to your installation manually if unable to upgrade to Build 466.