October System module has an Open Redirect for Administrator Accounts

Impact This advisory affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema october:// allowed external links, therefore allowing an open redirect outside the scope of the active host. This...

October System module has a Reflected XSS via X-October-Request-Handler Header

Impact The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy...