OctoberCMS is vulnerable to cross-site scripting (XSS). The attack is possible because it does not prevent uploading of malicious CSV file by sanitizing the imported CSV column names column
parameters.
CPE | Name | Operator | Version |
---|---|---|---|
october/october | le | 1.0.465 | |
october/october | le | 1.0.465 |
packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
seclists.org/fulldisclosure/2020/Aug/2
github.com/advisories/GHSA-gg6x-xx78-448c
github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c
github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c
stazot.com