What is CVE-2020-15128?

CVE-2020-15128 is a vulnerability in OctoberCMS before version 1.0.468 where encrypted cookie values were not tied to the name of the cookie.

What is the severity of CVE-2020-15128?

The severity of CVE-2020-15128 is medium with a CVSS score of 6.3.

How does CVE-2020-15128 affect OctoberCMS?

CVE-2020-15128 affects OctoberCMS before version 1.0.468, allowing certain classes of attacks that take advantage of other theoretical vulnerabilities in user-facing code.

How can I fix CVE-2020-15128 in OctoberCMS?

To fix CVE-2020-15128 in OctoberCMS, upgrade to version 1.0.468 or later.

Is there any additional information about CVE-2020-15128?

Yes, you can find more information about CVE-2020-15128 on the GitHub commits and security advisories provided in the references section.

Vulnerability/
CVE-2020-15128

medium

6.3

CWE

327 565

31/7/2020

4/8/2024

CVE-2020-15128: Reliance on Cookies without validation in OctoberCMS

First published: Fri Jul 31 2020(Updated: )

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Octobercms October	<1.0.468

Remedy

https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c

Remedy

https://github.com/octobercms/library/pull/508

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-15128?
CVE-2020-15128 is a vulnerability in OctoberCMS before version 1.0.468 where encrypted cookie values were not tied to the name of the cookie.
What is the severity of CVE-2020-15128?
The severity of CVE-2020-15128 is medium with a CVSS score of 6.3.
How does CVE-2020-15128 affect OctoberCMS?
CVE-2020-15128 affects OctoberCMS before version 1.0.468, allowing certain classes of attacks that take advantage of other theoretical vulnerabilities in user-facing code.
How can I fix CVE-2020-15128 in OctoberCMS?
To fix CVE-2020-15128 in OctoberCMS, upgrade to version 1.0.468 or later.
Is there any additional information about CVE-2020-15128?
Yes, you can find more information about CVE-2020-15128 on the GitHub commits and security advisories provided in the references section.

collector/nvd-index
agent/weakness
agent/type
agent/remedy
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/title
agent/severity
agent/last-modified-date
agent/author
agent/references
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/octobercms
canonical/octobercms october

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.