CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44383 – October CMS stored XSS by authenticated backend user with improper configuration
https://notcve.org/view.php?id=CVE-2023-44383
October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2. October es Content Management System (CMS) y una plataforma web para ayudar con el flujo de trabajo de desarrollo. Un usuario con acceso al administrador de medios que almacena archivos SVG podría crear un ataque XSS almacenado contra sí mismo y contra cualquier otro usuario con acceso al administrador de medios cuando se admiten archivos SVG. • https://github.com/octobercms/october/commit/b7eed0bbf54d07ff310fcdc7037a8e8bf1f5043b https://github.com/octobercms/october/security/advisories/GHSA-rvx8-p3xp-fj3p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-43876
https://notcve.org/view.php?id=CVE-2023-43876
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field. Vulnerabilidad de Cross-Site Scripting (XSS) en la instalación de October v.3.4.16 permite a un atacante ejecutar scripts web arbitrarios a través de un payload manipulado inyectado en el campo dbhost. • https://github.com/sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation https://github.com/sromanhu/October-CMS-Reflected-XSS---Installation/blob/main/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37692
https://notcve.org/view.php?id=CVE-2023-37692
An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file. • https://okankurtulus.com.tr/2023/07/24/october-cms-v3-4-4-stored-cross-site-scripting-xss-authenticated • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35944 – October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution)
https://notcve.org/view.php?id=CVE-2022-35944
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66. October es una plataforma de Sistema de Administración de Contenidos (CMS) auto alojada basada en el Framework PHP Laravel. • https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-24800 – Race Condition in October CMS upload process
https://notcve.org/view.php?id=CVE-2022-24800
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround. • https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83 https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •