GitHub Advisory DatabaseGHSA-2G8P-J2R6-VQPJWithdrawn Advisory: October Cross-site Scripting vulnerability
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
14.1%
Withdrawn Advisory
This advisory has been withdrawn because the vulnerability affects October CMS’s installer, not October CMS. The installer deletes all folders and files upon completion of installation. The vulnerability is valid, but because October’s installer is not part of one of the GitHub Advisory Database’s supported ecosystems, alerts cannot be sent out for the correct package.
Corrected Description
A Cross-Site Scripting (XSS) vulnerability in the installer of October CMS allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| october/cms | le | 3.4.16 |
References
github.com/advisories/GHSA-2g8p-j2r6-vqpj
github.com/octobercms/install/commit/ef1225b5596b7c2eb5ca3aa700a23e9f8acf387b
github.com/sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation/issues/1
github.com/sromanhu/October-CMS-Reflected-XSS---Installation/blob/main/README.md
nvd.nist.gov/vuln/detail/CVE-2023-43876
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
14.1%