Lucene search

[email protected]CVE-2017-15284

HistoryOct 12, 2017 - 8:29 a.m.

CVE-2017-15284

2017-10-1208:29:00

CWE-79

[email protected]

web.nvd.nist.gov

cross-site scripting

octobercms

cve-2017-15284

information security

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.3%

JSON

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Affected configurations

NVD

Node

octobercmsoctoberMatch1.0.425

CPENameOperatorVersion
octobercms:octoberoctobercms octobereq1.0.425

CPE	Name	Operator	Version
octobercms:october	octobercms october	eq	1.0.425

References

github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2

packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html

www.exploit-db.com/exploits/42978/

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

Access Complexity

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.3%

JSON

Related for CVE-2017-15284

nvd1 prion1 osv1 packetstorm1 zdt1 exploitpack1 cvelist1 exploitdb1