CVE-2017-1000193 — Cross-site Scripting in October

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 39.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

October Octobercms October

Timeline

PublishedNov 17

Latest updateMay 13

Description

October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶Packagistoctober/october< 1.0.413

▶NVDoctobercms/october1.0.412

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

October CMS XSS↗2022-05-13

▶

GHSA

October CMS XSS↗2022-05-13

▶