Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2020-15128
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-31 Jul, 2020 | 18:15
Updated At-25 Apr, 2022 | 17:41

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.3MEDIUM
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Secondary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Primary2.03.5LOW
AV:N/AC:M/Au:S/C:N/I:P/A:N
Type: Primary
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Type: Primary
Version: 2.0
Base score: 3.5
Base severity: LOW
Vector:
AV:N/AC:M/Au:S/C:N/I:P/A:N
CPE Matches
octobercms
octobercms
>>october>>Versions before 1.0.468(exclusive)
cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-327Primarynvd@nist.gov
CWE-565Secondarysecurity-advisories@github.com
CWE ID: CWE-327
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-565
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875csecurity-advisories@github.com
Patch
Third Party Advisory
https://github.com/octobercms/library/pull/508security-advisories@github.com
Patch
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63security-advisories@github.com
Third Party Advisory
Hyperlink: https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/octobercms/library/pull/508
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63
Source: security-advisories@github.com
Resource:
Third Party Advisory
Change History
0Changes found
Details not found