Stored Cross-Site Scripting October CMS

2023-07-2621:30:19

Google

osv.dev

stored cross-site scripting

october cms

svg upload

arbitrary code execution

authenticated users

browser context

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

23.5%

JSON

An svg file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code in the context of a browser via a crafted svg file. Attackers must be authenticated as users.

CPENameOperatorVersion
october/octobereq1.0.408
october/octobereq3.1.1
october/octobereq3.2.0
october/octobereq2.0.14
october/octobereq1.0.346
october/octobereq1.1.6
october/octobereq1.0.348
october/octobereq1.0.427
october/octobereq1.0.475
october/octobereq1.0.457

Name	Operator	Version
october/october	eq	1.0.408
october/october	eq	3.1.1
october/october	eq	3.2.0
october/october	eq	2.0.14
october/october	eq	1.0.346
october/october	eq	1.1.6
october/october	eq	1.0.348
october/october	eq	1.0.427
october/october	eq	1.0.475
october/october	eq	1.0.457