CVE-2024-51991 — Unrestricted File Upload in October

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

1.1LOWNVD

EPSS

0.3%

top 45.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October October System

Timeline

PublishedMay 5

Description

October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

▶Packagistoctober/system< 3.7.5

▶Packagistoctober/october< 3.7.5

▶NVDoctobercms/october< 3.7.5

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

October CMS Allows Unprotected SVG Rename in Media Manager↗2025-05-05

▶

GHSA

October CMS Allows Unprotected SVG Rename in Media Manager↗2025-05-05

▶