CVE-2017-15284

Опубликовано: 12 окт. 2017

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Ссылки

https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
Patch
Third Party Advisory
https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html
Exploit
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/42978/
Exploit
Third Party Advisory
VDB Entry
https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
Patch
Third Party Advisory
https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html
Exploit
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/42978/
Exploit
Third Party Advisory
VDB Entry

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:octobercms:october:1.0.425:*:*:*:*:*:*:*

EPSS

Процентиль: 82%

0.01729

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-gvgf-fp4m-2hw6