CVE-2020-15249

CVE-2020-15249 is a low-severity vulnerability in Octobercms October with a CVSS 3.x base score of 2.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0.

Frequently asked questions

What is CVE-2020-15249?
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0.
How severe is CVE-2020-15249?
CVE-2020-15249 has a CVSS 3.x base score of 2.8, rated low severity. It is exploitable over local access with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is none, integrity low, and availability none.
Is CVE-2020-15249 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (37th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2020-15249?
CVE-2020-15249 affects Octobercms October. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2020-15249?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2020-15249 published?
CVE-2020-15249 was published on 2020-11-23 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Octobercms October

All CVEs affecting Octobercms October →

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →