Lucene search

GitHub_MCVELIST:CVE-2024-24764

HistoryJun 26, 2024 - 12:02 a.m.

CVE-2024-24764 October Open Redirect for Administrator Accounts

2024-06-2600:02:49

CWE-601

GitHub_M

www.cve.org

cve-2024-24764

october cms

open redirect

administrator accounts

pagefinder

laravel php framework

patched version 3.5.15

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L

0.001 Low

EPSS

Percentile

26.1%

JSON

October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (october://) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability has been patched in version 3.5.15.

CNA Affected

[
  {
    "vendor": "octobercms",
    "product": "october",
    "versions": [
      {
        "version": ">= 3.2, < 3.5.15",
        "status": "affected"
      }
    ]
  }
]

References

github.com/octobercms/october/security/advisories/GHSA-v2vf-jv88-3fp5