A vulnerability was found in October CMS up to Build 436 (Content Management System). It has been rated as problematic. Affected by this issue is the function makeFileContents of the file modules/system/traits/ViewMaker.php#244. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. CVE summarizes:

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend path is accessible. This vulnerability appears to have been fixed in Build 437.

The bug was discovered 06/22/2018. The weakness was shared 07/23/2018 (Website). The advisory is shared for download at octobercms.com. This vulnerability is handled as CVE-2018-1999009 since 07/23/2018. The attack may be launched remotely. No form of authentication is required for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.

The vulnerability was handled as a non-public zero-day exploit for at least 31 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version Build 437 eliminates this vulnerability.

The entry 122083 is related to this item.

Productinfo

Type

• Content Management System

Vendor

• October

Name

• CMS

Version

• Build 436

License

• commercial

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion