Remote Code Execution Vulnerability in October CMS by October
CVE-2017-16941

8.8HIGH

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 25 November 2017

What is CVE-2017-16941?

October CMS versions up to 1.0.428 are susceptible to a remote code execution vulnerability caused by improper handling of .htaccess files within theme uploads. This flaw enables authenticated users to exploit the system by downloading a theme ZIP file, modifying it to include a malicious .php and .htaccess file, and then uploading the altered archive back to the platform. This could allow an attacker, who has gained access to an account with theme management permissions, to execute arbitrary PHP code on the server.

References

https://github.com/octobercms/october/issues/3257

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2017
Vulnerability Reserved
Nov 24, 2017

CVE-2017-16941 Data

JSON

Octobercms

What is CVE-2017-16941?

References

CVSS V3.1

Timeline