CVE-2024-25637Cross-site Scripting in October

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.8%
top 25.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober System
Timeline
PublishedJun 26

Description

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

Packagistoctober/system3.23.5.15
NVDoctobercms/october3.2.03.5.15
CVEListV5octobercms/october>= 3.2, < 3.5.15

🔴Vulnerability Details

2
GHSA
October System module has a Reflected XSS via X-October-Request-Handler Header2024-06-26
OSV
October System module has a Reflected XSS via X-October-Request-Handler Header2024-06-26