Missing server signature validation in OctoberCMS

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

密码学签名的验证不恰当

Octobercms 数据伪造问题漏洞

Octobercms是美国Octobercms公司的一个基于Php的Cms建站系统。 Octobercms存在数据伪造问题漏洞，该漏洞源于在处理 zip 存档中文件名中的目录遍历序列时输入验证错误而存在的。 远程用户可以上传特制的 zip 存档并覆盖系统上的文件，从而导致系统受损。 该漏洞允许远程用户执行目录遍历攻击。

N/A

N/A