Vulnerabilities > Octobercms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-15249 | Cross-site Scripting vulnerability in Octobercms October October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. | 5.4 |
| 2020-11-23 | CVE-2020-15248 | Improper Privilege Management vulnerability in Octobercms October October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. | 4.2 |
| 2020-11-23 | CVE-2020-15247 | Unspecified vulnerability in Octobercms October October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. | 5.2 |
| 2020-11-23 | CVE-2020-15246 | Path Traversal vulnerability in Octobercms October October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. | 7.5 |
| 2020-07-31 | CVE-2020-15128 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Octobercms October In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. | 6.3 |
| 2020-07-14 | CVE-2020-11083 | Cross-site Scripting vulnerability in Octobercms October In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. | 4.8 |
| 2020-07-02 | CVE-2020-4061 | Cross-site Scripting vulnerability in Octobercms October In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. | 5.4 |
| 2020-06-04 | CVE-2020-11094 | Information Exposure Through Log Files vulnerability in Octobercms Debugbar The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. | 9.8 |
| 2020-06-03 | CVE-2020-5299 | Command Injection vulnerability in Octobercms October In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. | 5.1 |
| 2020-06-03 | CVE-2020-5298 | Cross-site Scripting vulnerability in Octobercms October In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466). | 4.8 |