5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.0004 Low
EPSS
Percentile
14.1%
This advisory has been withdrawn because the vulnerability affects October CMS’s installer, not October CMS. The installer deletes all folders and files upon completion of installation. The vulnerability is valid, but because October’s installer is not part of one of the GitHub Advisory Database’s supported ecosystems, alerts cannot be sent out for the correct package.
A Cross-Site Scripting (XSS) vulnerability in the installer of October CMS allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
CPE | Name | Operator | Version |
---|---|---|---|
october/cms | le | 3.4.16 |
github.com/advisories/GHSA-2g8p-j2r6-vqpj
github.com/octobercms/install/commit/ef1225b5596b7c2eb5ca3aa700a23e9f8acf387b
github.com/sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation/issues/1
github.com/sromanhu/October-CMS-Reflected-XSS---Installation/blob/main/README.md
nvd.nist.gov/vuln/detail/CVE-2023-43876