Описание
Withdrawn Advisory: October Cross-site Scripting vulnerability
Withdrawn Advisory
This advisory has been withdrawn because the vulnerability affects October CMS's installer, not October CMS. The installer deletes all folders and files upon completion of installation. The vulnerability is valid, but because October's installer is not part of one of the GitHub Advisory Database's supported ecosystems, alerts cannot be sent out for the correct package.
Corrected Description
A Cross-Site Scripting (XSS) vulnerability in the installer of October CMS allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-43876
- https://github.com/sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation/issues/1
- https://github.com/octobercms/install/commit/ef1225b5596b7c2eb5ca3aa700a23e9f8acf387b
- https://github.com/sromanhu/October-CMS-Reflected-XSS---Installation/blob/main/README.md
Пакеты
october/cms
<= 3.4.16
Отсутствует
Связанные уязвимости
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.