CVE-2017-15284

moderate-risk
Published 2017-10-12

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Do I need to act?

~
1.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
42978
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Octobercms

References (6)

Patch https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95...
Exploit https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scrip...
Exploit https://www.exploit-db.com/exploits/42978/
Patch https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95...
Exploit https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scrip...
Exploit https://www.exploit-db.com/exploits/42978/
31
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 5/34 · Minimal
Exposure 5/34 · Minimal