Main Vulnerability Database Exploits ID:3770 - Exploit for Cross-site scripting in October CMS - CVE-2017-15284

ID:3770 - Exploit for Cross-site scripting in October CMS - CVE-2017-15284

Published: August 9, 2020

Vulnerability identifier: #VU38072

Vulnerability risk: Low

CVE-ID: CVE-2017-15284

CWE-ID: CWE-79

Exploitation vector: Remote access

Vulnerable software:
October CMS

Link to public exploit:

https://www.exploit-db.com/exploits/42978/

Vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Remediation

Install update from vendor's website.

ID:3770 - Exploit for Cross-site scripting in October CMS - CVE-2017-15284

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human