CVE-2017-16244

HIGH

OctoberCMS 1.0.426 - CSRF

Title source: llm

Description

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.

Exploits (1)

exploitdb WORKING POC

by Zain Sabahat · textwebappsphp

https://www.exploit-db.com/exploits/43106

View Code ZIP pw:eip

References (2)

[Patch, Third Party Advisory] https://github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/43106/

Scores

CVSS v3 8.8

EPSS 0.0040

EPSS Percentile 60.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (2)

october/october 0 - 1.0.427Packagist

octobercms/october 1.0.426

Published Nov 01, 2017

Tracked Since Feb 18, 2026