CVE-2024-45962 — Cross-site Scripting in October

CWE-79 — Cross-site Scripting CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

4.7MEDIUMNVD

EPSS

0.3%

top 49.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

October Octobercms October

Timeline

PublishedOct 2

Description

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶Packagistoctober/october3.6.4

▶NVDoctobercms/october3.6.30

🔴Vulnerability Details

GHSA

October allows an admin account to upload PDF containing malicious JavaScript↗2024-10-02

▶

OSV

October allows an admin account to upload PDF containing malicious JavaScript↗2024-10-02

▶