CVE-2020-15246: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 23, 2020 (updated November 19, 2021)

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.

References

github.com/advisories/GHSA-xwjr-6fj7-fc6h
github.com/octobercms/library/commit/80aab47f044a2660aa352450f55137598f362aa4
github.com/octobercms/october/security/advisories/GHSA-xwjr-6fj7-fc6h
nvd.nist.gov/vuln/detail/CVE-2020-15246

Code Behaviors & Features

Detect and mitigate CVE-2020-15246 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →