Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-15284 — Cross-site Scripting in October

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

1.7%

top 17.49%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

October Rain Octobercms October

Timeline

PublishedOct 12

Latest updateMay 13

Description

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDoctobercms/october1.0.425

▶Packagistoctober/rain< 1.0.426

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

OctoberCMS Cross-Site Scripting↗2022-05-13

▶

GHSA

OctoberCMS Cross-Site Scripting↗2022-05-13

▶

💥Exploits & PoCs

Exploit-DB

OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting↗2017-10-12

▶