October Security Vulnerabilities and Issues — October CVE List

Lucene search

OctobercmsOctober

10 matches found

CVE•added 2020/06/03 10:15 p.m.•98 views

CVE-2020-5295

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to read local files of an October CMS server. The vulnerability is only exploitable by an authenticated backend user with the cms.manage_assets permission. Issue has...

4.9CVSS4.7AI score0.08712EPSS

CVE•added 2020/06/03 10:15 p.m.•74 views

CVE-2020-5297

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, an attacker can exploit this vulnerability to upload jpg, jpeg, bmp, png, webp, gif, ico, css, js, woff, woff2, svg, ttf, eot, json, md, less, sass, scss, xml files to any directory of an October CMS server. ...

4CVSS3.5AI score0.01759EPSS

CVE•added 2020/06/03 10:15 p.m.•70 views

CVE-2020-5298

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflec...

4.8CVSS4.4AI score0.00759EPSS

CVE•added 2020/11/23 8:15 p.m.•59 views

CVE-2020-15248

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has....

4.6CVSS4.4AI score0.00049EPSS

CVE•added 2015/09/04 3:59 p.m.•45 views

CVE-2015-5612

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

4.3CVSS5.3AI score0.00256EPSS

CVE•added 2020/07/14 9:15 p.m.•44 views

CVE-2020-11083

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users o...

4.8CVSS4.1AI score0.00432EPSS

CVE•added 2025/05/05 5:18 p.m.•42 views

CVE-2024-51991

October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the media.clean_vectors configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulner...

4.8CVSS6.2AI score0.00058EPSS

CVE•added 2024/10/02 8:15 p.m.•37 views

CVE-2024-45962

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.

4.7CVSS6AI score0.00073EPSS

CVE•added 2023/12/01 10:15 p.m.•35 views

CVE-2023-44381

October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to...

4.9CVSS5.1AI score0.00175EPSS

CVE•added 2024/06/26 1:15 a.m.•34 views

CVE-2024-24764

October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (october://) allowed external links, therefore allowing an op...

4.8CVSS4.2AI score0.00087EPSS