Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htaccess file. NOTE: the vendor says "I don't think [an attacker able to login to the system under an account that has access to manage/upload themes] is a threat model that we need to be considering.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
October CMS 安全漏洞
Vulnerability Description
October CMS是加拿大软件开发者Alexey Bobkov和澳大利亚软件开发者Samuel Georges共同研发的一套开源的、自托管的建立在Laravel PHP框架基础上的内容管理系统(CMS)。 October CMS 1.0.428及之前的版本中存在安全漏洞,该漏洞源于程序没有阻止主题中.htaccess的使用。远程攻击者可通过从/backend/cms/themes下载主题ZIP归档,上传并导出带有.php和.htaccess两个新文件的被更改的归档利用该漏洞执行任意的PHP代码。
CVSS Information
N/A
Vulnerability Type
N/A