[VIM] OctavoCMS (CVE-2014-4331) is not always site-specific
Steven M. Christey
coley at mitre.org
Sat Jul 19 12:16:58 CDT 2014
We received an inquiry from OSVDB about CVE-2014-4331, in which it
appeared that OctavoCMS is a site-specific/hosted solution only. We
investigated further. Based on
http://www.3gwebdesign.com/solutions/cms.edesign.terms.php, there might be
some (rare) cases in which OctavoCMS could have been installed on
customer-controlled systems in 2012 or earlier: "Whilst FTP access and the
installation on a clients server is not standard, an additional cost can
be added to allow for this and the encrypting of the sites PHP files,
arranged prior to a project commencement. Since 2012, Octavo 'has' to be
on our servers."
In light of this discovery, we are treating OctavoCMS as a (sometimes)
customer-controlled product and thus within CVE's scope.
- Steve
More information about the VIM
mailing list