CVE-2020-15246: Local File Inclusion by unauthenticated users
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76979%
CWE
Published
11/23/2020
Updated
2/1/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
october/cms | composer | >= 1.0.421, < 1.0.469 | 1.0.469 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient validation
in the whereFileName
method, which handles filename
inputs. The patched commit adds a validateFileName()
call to this method, indicating it was previously missing critical path traversal checks. This allowed unauthenticated attackers to manipulate the filename
parameter to access restricted files via directory traversal. The direct correlation between the vulnerability description (path traversal
) and the patched function's added validation
confirms this as the primary vulnerable function.