[VIM] OctavoCMS (CVE-2014-4331) is not always site-specific

Steven M. Christey coley at mitre.org
Sat Jul 19 12:16:58 CDT 2014


We received an inquiry from OSVDB about CVE-2014-4331, in which it 
appeared that OctavoCMS is a site-specific/hosted solution only.  We 
investigated further.  Based on 
http://www.3gwebdesign.com/solutions/cms.edesign.terms.php, there might be 
some (rare) cases in which OctavoCMS could have been installed on 
customer-controlled systems in 2012 or earlier: "Whilst FTP access and the 
installation on a clients server is not standard, an additional cost can 
be added to allow for this and the encrypting of the sites PHP files, 
arranged prior to a project commencement. Since 2012, Octavo 'has' to be 
on our servers."

In light of this discovery, we are treating OctavoCMS as a (sometimes) 
customer-controlled product and thus within CVE's scope.

- Steve


More information about the VIM mailing list