CVE-2024-24764Open Redirect in October

CWE-601Open Redirect3 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.1%
top 72.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober System
Timeline
PublishedJun 26

Description

October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability has been patched in version 3.5.15.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

Packagistoctober/system3.23.5.15
NVDoctobercms/october3.2.03.5.15
CVEListV5octobercms/october>= 3.2, < 3.5.15

🔴Vulnerability Details

2
GHSA
October System module has an Open Redirect for Administrator Accounts2024-06-26
OSV
October System module has an Open Redirect for Administrator Accounts2024-06-26