CVSS: 7.2EPSS: 73%CPEs: 1EXPL: 1CVE-2017-1000119 – October CMS - Upload Protection Bypass Code Execution
https://notcve.org/view.php?id=CVE-2017-1000119
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. La build 412 de October CMS es vulnerable a la ejecución de código PHP en la funcionalidad de subida de archivos, lo que resulta en el compromiso del sitio y, probablemente, otras aplicaciones en el servidor. • https://www.exploit-db.com/exploits/47376 http://octobercms.com/support/article/rn-8 http://packetstormsecurity.com/files/154390/October-CMS-Upload-Protection-Bypass-Code-Execution.html https://bitflipper.eu/finding/2017/04/october-cms-v10412-several-issues.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2015-5613
https://notcve.org/view.php?id=CVE-2015-5613
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different vulnerability than CVE-2015-5612. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) en October CMS en su build 271 y anteriores permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores que afectan a un título de archivo. Esta vulnerabilidad es diferente de CVE-2015-5612. • http://www.openwall.com/lists/oss-security/2015/07/22/3 https://github.com/octobercms/october/commit/8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a https://github.com/octobercms/october/issues/1302 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5612
https://notcve.org/view.php?id=CVE-2015-5612
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image. Vulnerabilidad de XSS en October CMS build 271 y versiones anteriores, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la etiqueta caption de una imagen de perfil. • http://www.openwall.com/lists/oss-security/2015/07/21/5 http://www.openwall.com/lists/oss-security/2015/07/22/3 https://github.com/octobercms/october/commit/8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a https://github.com/octobercms/october/issues/1302 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •