Main Vulnerability Database Vulnerabilities #VU38072

#VU38072 Cross-site scripting in October CMS - CVE-2017-15284

Published: October 12, 2017 / Updated: August 9, 2020

Vulnerability identifier: #VU38072

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear

CVE-ID: CVE-2017-15284

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Remediation

Install update from vendor's website.

External links

https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html
https://www.exploit-db.com/exploits/42978/

#VU38072 Cross-site scripting in October CMS - CVE-2017-15284

Description

Remediation

External links

Please verify you're human