CVE-2017-15284

MEDIUM

OctoberCMS < 1.0.426 - Stored Cross-Site Scripting via SVG Avatar Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15284. PoCs published by Ishaq Mohammed.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in OctoberCMS 1.0.425, where a low-privileged user can upload a malicious SVG file as an avatar, leading to JavaScript execution in the context of an admin account when viewed.

Description

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Exploits (1)

exploitdb WRITEUP
by Ishaq Mohammed · textwebappsphp
https://www.exploit-db.com/exploits/42978

This is a writeup describing a stored XSS vulnerability in OctoberCMS 1.0.425, where a low-privileged user can upload a malicious SVG file as an avatar, leading to JavaScript execution in the context of an admin account when viewed.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: OctoberCMS 1.0.425 (Build 425)
Auth required
Prerequisites: Valid user credentials · Admin interaction to trigger payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/42978/

Scores

CVSS v3 5.4
EPSS 0.0241
EPSS Percentile 85.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
october/rain 0 - 1.0.426Packagist
octobercms/october 1.0.425
Published Oct 12, 2017
Tracked Since Feb 18, 2026