Cross-site scripting in OctoberCMS October CMS



Published: 2017-10-12 | Updated: 2020-08-08
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-15284
CWE-ID CWE-79
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		October CMS
Web applications / CMS

Vendor OctoberCMS

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site scripting

EUVDB-ID: #VU38072

Risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-15284

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Mitigation

Install update from vendor's website.

Vulnerable software versions

October CMS: 1.0.425

External links

http://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
http://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html
http://www.exploit-db.com/exploits/42978/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###