Vulnerability CVE-2017-15284


Published: 2017-10-12

Description:
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

See advisories in our WLB2 database:
Topic
Author
Date
Low
OctoberCMS 1.0.425 Cross Site Scripting
Ishaq Mohammed
12.10.2017

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

 References:
https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2

Copyright 2017, cxsecurity.com

 

Back to Top