Filtered by vendor Octobercms
Subscribe
Total
46 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15284 | 1 Octobercms | 1 October | 2020-08-03 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account. | |||||
| CVE-2017-1000119 | 1 Octobercms | 1 October | 2020-08-03 | 6.5 MEDIUM | 7.2 HIGH |
| October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server. | |||||
| CVE-2020-4061 | 1 Octobercms | 1 October | 2020-07-06 | 3.5 LOW | 5.4 MEDIUM |
| In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467. | |||||
| CVE-2020-11094 | 1 Octobercms | 1 Debugbar | 2020-06-10 | 6.8 MEDIUM | 9.8 CRITICAL |
| The October CMS debugbar plugin before version 3.1.0 contains a feature where it will log all requests (and all information pertaining to each request including session data) whenever it is enabled. This presents a problem if the plugin is ever enabled on a system that is open to untrusted users as the potential exists for them to use this feature to view all requests being made to the application and obtain sensitive information from those requests. There even exists the potential for account takeovers of authenticated users by non-authenticated public users, which would then lead to a number of other potential issues as an attacker could theoretically get full access to the system if the required conditions existed. Issue has been patched in v3.1.0 by locking down access to the debugbar to all users; it now requires an authenticated backend user with a specifically enabled permission before it is even usable, and the feature that allows access to stored request information is restricted behind a different permission that's more restrictive. | |||||
| CVE-2015-5613 | 1 Octobercms | 1 October | 2017-10-06 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different vulnerability than CVE-2015-5612. | |||||
| CVE-2015-5612 | 1 Octobercms | 1 October | 2015-09-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image. | |||||