CVE-2017-15284

MEDIUM

October < 1.0.426 - XSS

Title source: rule

Description

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Exploits (1)

exploitdb WRITEUP

by Ishaq Mohammed · textwebappsphp

https://www.exploit-db.com/exploits/42978

View Code ZIP pw:eip

References (3)

[Patch, Third Party Advisory] https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2

[Exploit, Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/42978/

Scores

CVSS v3 5.4

EPSS 0.0173

EPSS Percentile 82.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

october/rain 0 - 1.0.426Packagist

octobercms/october 1.0.425

Published Oct 12, 2017

Tracked Since Feb 18, 2026