Lucene search
K

146 matches found

CVE
CVE
added 2020/06/03 9:55 p.m.87 views

CVE-2020-5298

In OctoberCMS (composer package october/october), CVE-2020-5298 affects versions 1.0.319 and earlier than 1.0.466 where a user with access to the ImportExportController’s import flow can be socially engineered to upload a crafted CSV, enabling a reflected XSS on the user. The issue is mitigated b...

4.8CVSS4.4AI score0.00909EPSS
Exploits3References4Affected Software1
Cvelist
Cvelist
added 2020/06/03 9:50 p.m.38 views

CVE-2020-5295 Local File read vulnerability in OctoberCMS

In OctoberCMS october/october composer package versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manageassets permission. Issue has...

4.8CVSS4.8AI score0.07371EPSS
Exploits4References4
CVE
CVE
added 2020/06/03 9:50 p.m.120 views

CVE-2020-5295

CVE-2020-5295 affects October CMS (october/october composer package) versions 1.0.319–1.0.465. An authenticated backend user with cms.manage_assets permission can read local files on the server. The issue has been fixed in Build 466 (v1.0.466).

4.9CVSS4.7AI score0.07371EPSS
Exploits4References4Affected Software1
CNVD
CNVD
added 2017/11/17 12:0 a.m.4 views

October CMS PHP Object Injection Vulnerability

OctoberCMS is a CMS system based on Laravel PHP development framework. A PHP object injection vulnerability exists in the asset movement feature of October CMS build 412. An attacker can exploit the vulnerability to delete restricted files on the server...

7.5CVSS7.4AI score0.01525EPSS
Exploits0References1
CNVD
CNVD
added 2017/11/17 12:0 a.m.4 views

October CMS PHP Code Execution Vulnerability

OctoberCMS is a CMS system based on Laravel PHP development framework. A PHP code execution vulnerability exists in the Asset Manager feature of October CMS build 412. An attacker can exploit this vulnerability to compromise a website and other applications on the server...

9.8CVSS7.6AI score0.01944EPSS
Exploits0References1
CNVD
CNVD
added 2017/11/17 12:0 a.m.6 views

October CMS Cross-Site Scripting Vulnerability (CNVD-2017-37277)

OctoberCMS is a CMS system based on Laravel PHP development framework. A cross-site scripting vulnerability exists in the brand logo image name in October CMS build 412. An attacker can exploit this vulnerability to execute JavaScript code in the victim's browser...

6.1CVSS6.5AI score0.01003EPSS
Exploits0References1
Packet Storm
Packet Storm
added 2017/11/02 12:0 a.m.35 views

OctoberCMS 1.0.426 (Build 426) Cross Site Request Forgery

Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps CVE: CVE-2017-16244 1. Description Cross-Site Request Forge...

8.7AI score0.01976EPSS
Exploits5
Veracode
Veracode
added 2017/11/01 6:39 a.m.15 views

Cross-site Request Forgery (CSRF) Bypass

OctoberCMS is vulnerable to cross-site request forgery CSRF. The library does not properly validate CSRF Tokens in the handler postback variable, allowing a malicious user to conduct a CSRF attack and authenticate as another user...

8.8CVSS8.5AI score0.01976EPSS
Exploits5References2Affected Software2
NVD
NVD
added 2017/11/01 1:29 a.m.22 views

CVE-2017-16244

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...

8.8CVSS8.6AI score0.01976EPSS
Exploits5References2
OSV
OSV
added 2017/11/01 1:29 a.m.27 views

CVE-2017-16244

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...

8.8CVSS6.7AI score
Exploits0References2
Prion
Prion
added 2017/11/01 1:29 a.m.13 views

Cross site request forgery (csrf)

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...

6.8CVSS8.5AI score0.01976EPSS
Exploits5References2Affected Software1
Cvelist
Cvelist
added 2017/11/01 1:0 a.m.28 views

CVE-2017-16244

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...

8.7AI score0.01976EPSS
Exploits5References2
CVE
CVE
added 2017/11/01 1:0 a.m.68 views

CVE-2017-16244

CVE-2017-16244 affects OctoberCMS 1.0.426 (Build 426). The issue is Cross-Site Request Forgery due to improper validation of CSRF tokens for postback handling, bypassing X-CSRF headers and CSRF tokens via a _handler postback variable. This can allow an attacker to take over a victim’s admin accou...

8.8CVSS8.5AI score0.01976EPSS
Exploits5References2Affected Software1
0day.today
0day.today
added 2017/11/01 12:0 a.m.34 views

OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery Vulnerability

Exploit for php platform in category web applications Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps CVE:...

6.8CVSS0.1AI score0.01976EPSS
Exploits5
exploitpack
exploitpack
added 2017/11/01 12:0 a.m.31 views

OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery

OctoberCMS 1.0.426 Build 426 - Cross-Site Request Forgery Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps...

6.8CVSS0.3AI score0.01976EPSS
Exploits5
Exploit DB
Exploit DB
added 2017/11/01 12:0 a.m.45 views

OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery

Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps CVE: CVE-2017-16244 1. Description Cross-Site Request Forge...

8.8CVSS8.8AI score0.01976EPSS
Exploits5
CNVD
CNVD
added 2017/10/25 12:0 a.m.3 views

OctoberCMS Cross-Site Request Forgery Vulnerability

OctoberCMS is an open source, self-hosted content management system CMS built on the Laravel PHP framework developed by Canadian software developer Alexey Bobkov and Australian software developer Samuel Georges. A cross-site request forgery vulnerability exists in OctoberCMS version 1.0.426 a.k.a...

8.8CVSS7AI score0.01976EPSS
Exploits5References1
OSV
OSV
added 2017/10/12 8:29 a.m.19 views

CVE-2017-15284

Cross-Site Scripting exists in OctoberCMS 1.0.425 aka Build 425, allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account...

5.4CVSS6.4AI score
Exploits0References3
Prion
Prion
added 2017/10/12 8:29 a.m.15 views

Cross site scripting

Cross-Site Scripting exists in OctoberCMS 1.0.425 aka Build 425, allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account...

3.5CVSS5.4AI score0.04027EPSS
Exploits5References3Affected Software1
NVD
NVD
added 2017/10/12 8:29 a.m.22 views

CVE-2017-15284

Cross-Site Scripting exists in OctoberCMS 1.0.425 aka Build 425, allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account...

5.4CVSS5.4AI score0.04027EPSS
Exploits5References3
Rows per page
Query Builder