CVE-2020-15128

In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468).

CVSS v3 6.3 MEDIUM
CVSS v2.0 3.5 LOW

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

3.5^/10

CVSS v2.0 : LOW

Vector : AV:N/AC:M/Au:S/C:N/I:P/A:N

Exploitability : 6.8 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c	Patch Third Party Advisory
https://github.com/octobercms/library/pull/508	Patch Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

History

25 Apr 2022, 17:41

Type	Values Removed	Values Added
CWE	~~CWE-565~~	CWE-327

Information

Published : 2020-07-31 18:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-15128

Mitre link : CVE-2020-15128

CVE.ORG link : CVE-2020-15128

JSON object : View

Products Affected

octobercms

october

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-565

Reliance on Cookies without Validation and Integrity Checking

{"id": "CVE-2020-15128", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 1.6}]}, "published": "2020-07-31T18:15:14.350", "references": [{"url": "https://github.com/octobercms/library/commit/28310d4fb336a1741b39498f4474497644a6875c", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/library/pull/508", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/october/security/advisories/GHSA-55mm-5399-7r63", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-565"}]}], "descriptions": [{"lang": "en", "value": "In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core project itself) had a higher chance of succeeding. Specifically, if your usage exposed a way for users to provide unfiltered user input and have it returned to them as an encrypted cookie (ex. storing a user provided search query in a cookie) they could then use the generated cookie in place of other more tightly controlled cookies; or if your usage exposed the plaintext version of an encrypted cookie at any point to the user they could theoretically provide encrypted content from your application back to it as an encrypted cookie and force the framework to decrypt it for them. Issue has been fixed in build 468 (v1.0.468)."}, {"lang": "es", "value": "En OctoberCMS versiones anteriores a 1.0.468, los valores de cookies cifrados no estaban enlazados al nombre de la cookie a la que pertenec\u00eda el valor. Esto significaba que determinadas clases de ataques que toman ventaja a otras vulnerabilidades te\u00f3ricas en el c\u00f3digo de usuario (nada explotable en el proyecto central en s\u00ed) ten\u00edan una mayor oportunidad de \u00e9xito. Espec\u00edficamente, si su uso expuso una forma para que los usuarios proporcionen informaci\u00f3n de usuario sin filtrar y que se la devuelva como una cookie cifrada (por ejemplo, almacenando una consulta de b\u00fasqueda proporcionada por el usuario en una cookie), podr\u00edan usar la cookie generada en lugar de otras cookies estrictamente controladas; o si su uso expuso la versi\u00f3n de texto plano de una cookie cifrada en alg\u00fan momento al usuario, te\u00f3ricamente podr\u00edan proporcionarle contenido cifrado de su aplicaci\u00f3n como cookie cifrada y forzar al framework a descifrarla. El problema ha sido corregido en el build 468 (versi\u00f3n v1.0.468)"}], "lastModified": "2022-04-25T17:41:41.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "63415731-A650-4848-8402-76F1E60C608C", "versionEndExcluding": "1.0.468"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}