CVE-2020-15248: Incorrect Authorization

November 23, 2020 (updated November 18, 2021)

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from and, backend users with the default “Publisher” system role have access to create & manage users where they can choose which role the new user has. This means that a user with “Publisher” access has the ability to escalate their access to “Developer” access.

References

nvd.nist.gov/vuln/detail/CVE-2020-15248

Detect and mitigate CVE-2020-15248 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →