CVE-2024-25637

2024-06-2616:15:10

CWE-79

[email protected]

web.nvd.nist.gov

october cms

laravel framework

html injection

patch

cve-2024-25637

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

3.9 Low

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.

Affected configurations

Vulners

Node

octobercmsoctoberRange3.2–3.5.15

CNA Affected

[
  {
    "vendor": "octobercms",
    "product": "october",
    "versions": [
      {
        "version": ">= 3.2, < 3.5.15",
        "status": "affected"
      }
    ]
  }
]