Main Vulnerability Database Vulnerabilities #VU38072

Cross-site scripting in October CMS - CVE-2017-15284

Published: October 12, 2017 / Updated: August 9, 2020

Vulnerability identifier: #VU38072

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear

CVE-ID: CVE-2017-15284

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: OctoberCMS

Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

How to mitigate CVE-2017-15284

Install update from vendor's website.

Sources

https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html
https://www.exploit-db.com/exploits/42978/

Cross-site scripting in October CMS - CVE-2017-15284

Detailed vulnerability description

How to mitigate CVE-2017-15284

Sources

Please verify you're human