CVE-2023-44383

2023-11-2920:15:07

Google

osv.dev

october cms

stored xss attack

media manager

svg files

patched

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

14.1%

JSON

October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.

CPENameOperatorVersion
octobereq1.0.349
octobereq1.0.428
octobereq3.5.1
octobereq1.0.426
octobereq1.0.333
octobereq1.0.411
octobereq1.0.378
octobereq1.0.429
octobereq1.0.336
octobereq1.0.457

Name	Operator	Version
october	eq	1.0.349
october	eq	1.0.428
october	eq	3.5.1
october	eq	1.0.426
october	eq	1.0.333
october	eq	1.0.411
october	eq	1.0.378
october	eq	1.0.429
october	eq	1.0.336
october	eq	1.0.457