Cross-Site Scripting (XSS)

2020-06-0408:12:55

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.003 Low

EPSS

Percentile

71.5%

JSON

OctoberCMS is vulnerable to cross-site scripting (XSS). The attack is possible because it does not prevent uploading of malicious CSV file by sanitizing the imported CSV column names column parameters.

CPENameOperatorVersion
october/octoberle1.0.465
october/octoberle1.0.465

CPE	Name	Operator	Version
	october/october	le	1.0.465
	october/october	le	1.0.465

References

packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

seclists.org/fulldisclosure/2020/Aug/2

github.com/advisories/GHSA-gg6x-xx78-448c

github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c

github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c

stazot.com

0.003 Low

EPSS

Percentile

71.5%

JSON

Related for VERACODE:25609