6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11094

GHSA ID

GHSA-c8wh-6jw4-2h79

EPSS Score

0.66922%

CWE

CWE-532

Published

6/3/2020

Updated

1/9/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-11094

CVE-2020-11094: Potential unauthorized access to stored request & session data when plugin is misconfigured in October CMS Debugbar

Impact

The debugbar contains a perhaps little known feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as the potential exists for them to use this feature to view all requests being made to the application and obtain sensitive information from those requests. There even exists the potential for account takeovers of authenticated users by non-authenticated public users, which would then lead to a number of other potential issues as an attacker could theoretically get full access to the system if the required conditions existed.

Patches

Issue has been patched in v3.1.0 by locking down access to the debugbar to all users; it now requires an authenticated backend user with a specifically enabled permission before it is even usable, and the feature that allows access to stored request information is restricted behind a different permission that's more restrictive.

Workarounds

Apply https://github.com/rainlab/debugbar-plugin/commit/86dd29f9866d712de7d98f5f9dc67751b82ecd18 to your installation manually if unable to upgrade to v3.1.0.

For more information

If you have any questions or comments about this advisory:

Email us at octobercms@luketowers.ca & hello@octobercms.com

Acknowledgements

Thanks to Freddie Poser for reporting the issue to the RainLab team.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-11094

GHSA ID

GHSA-c8wh-6jw4-2h79

EPSS Score

0.66922%

CWE

CWE-532

Published

6/3/2020

Updated

1/9/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rainlab/debugbar-plugin	composer	< 3.1.0	3.1.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient access controls in two key areas:

The Plugin's boot method enabled debugbar functionality with only a basic backend auth check, not granular permissions.
The underlying debugbar implementation (from Barryvdh) exposed sensitive data endpoints without OctoberCMS permission integration. The patch added permission checks in both the Plugin's workflow (via registerPermissions) and replaced the third-party ServiceProvider with a customized version implementing permission gates. The confidence is high for the Plugin::boot method (explicitly modified in the commit) and medium for the third-party ServiceProvider (implied by its replacement).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** ***u***r *ont*ins * p*r**ps littl* known ***tur* w**r* it will lo* *ll r*qu*sts (*n* *ll in*orm*tion p*rt*inin* to **** r*qu*st in*lu*in* s*ssion **t*) w**n*v*r it is *n**l**. T*is pr*s*nts * pro*l*m i* t** plu*in is *v*r *n**l** on *

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt ****ss *ontrols in two k*y *r**s: *. T** Plu*in's *oot m*t*o* *n**l** ***u***r *un*tion*lity wit* only * **si* ***k*n* *ut* ****k, not *r*nul*r p*rmissions. *. T** un**rlyin* ***u***r impl*m*nt*tion (*rom *

6.1

Basic Information

Concerned about an active attack path?

CVE-2020-11094: Potential unauthorized access to stored request & session data when plugin is misconfigured in October CMS Debugbar

Impact

Patches

Workarounds

For more information

Acknowledgements

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI