146 matches found
CVE-2020-5298
In OctoberCMS (composer package october/october), CVE-2020-5298 affects versions 1.0.319 and earlier than 1.0.466 where a user with access to the ImportExportController’s import flow can be socially engineered to upload a crafted CSV, enabling a reflected XSS on the user. The issue is mitigated b...
CVE-2020-5295 Local File read vulnerability in OctoberCMS
In OctoberCMS october/october composer package versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manageassets permission. Issue has...
CVE-2020-5295
CVE-2020-5295 affects October CMS (october/october composer package) versions 1.0.319–1.0.465. An authenticated backend user with cms.manage_assets permission can read local files on the server. The issue has been fixed in Build 466 (v1.0.466).
October CMS PHP Object Injection Vulnerability
OctoberCMS is a CMS system based on Laravel PHP development framework. A PHP object injection vulnerability exists in the asset movement feature of October CMS build 412. An attacker can exploit the vulnerability to delete restricted files on the server...
October CMS PHP Code Execution Vulnerability
OctoberCMS is a CMS system based on Laravel PHP development framework. A PHP code execution vulnerability exists in the Asset Manager feature of October CMS build 412. An attacker can exploit this vulnerability to compromise a website and other applications on the server...
October CMS Cross-Site Scripting Vulnerability (CNVD-2017-37277)
OctoberCMS is a CMS system based on Laravel PHP development framework. A cross-site scripting vulnerability exists in the brand logo image name in October CMS build 412. An attacker can exploit this vulnerability to execute JavaScript code in the victim's browser...
OctoberCMS 1.0.426 (Build 426) Cross Site Request Forgery
Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps CVE: CVE-2017-16244 1. Description Cross-Site Request Forge...
Cross-site Request Forgery (CSRF) Bypass
OctoberCMS is vulnerable to cross-site request forgery CSRF. The library does not properly validate CSRF Tokens in the handler postback variable, allowing a malicious user to conduct a CSRF attack and authenticate as another user...
CVE-2017-16244
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...
CVE-2017-16244
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...
Cross site request forgery (csrf)
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...
CVE-2017-16244
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 aka Build 426 due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a...
CVE-2017-16244
CVE-2017-16244 affects OctoberCMS 1.0.426 (Build 426). The issue is Cross-Site Request Forgery due to improper validation of CSRF tokens for postback handling, bypassing X-CSRF headers and CSRF tokens via a _handler postback variable. This can allow an attacker to take over a victim’s admin accou...
OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery Vulnerability
Exploit for php platform in category web applications Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps CVE:...
OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery
OctoberCMS 1.0.426 Build 426 - Cross-Site Request Forgery Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps...
OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery
Exploit Title: OctoberCMS 1.0.426 - CSRF to Admin Account Takover Vendor Homepage: https://octobercms.com Software Link: https://octobercms.com/download Exploit Author: Zain Sabahat Website: https://about.me/ZainSabahat Category: webapps CVE: CVE-2017-16244 1. Description Cross-Site Request Forge...
OctoberCMS Cross-Site Request Forgery Vulnerability
OctoberCMS is an open source, self-hosted content management system CMS built on the Laravel PHP framework developed by Canadian software developer Alexey Bobkov and Australian software developer Samuel Georges. A cross-site request forgery vulnerability exists in OctoberCMS version 1.0.426 a.k.a...
CVE-2017-15284
Cross-Site Scripting exists in OctoberCMS 1.0.425 aka Build 425, allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account...
Cross site scripting
Cross-Site Scripting exists in OctoberCMS 1.0.425 aka Build 425, allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account...
CVE-2017-15284
Cross-Site Scripting exists in OctoberCMS 1.0.425 aka Build 425, allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account...