CVE-2017-15284 Information

Description

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425) allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin it causes JavaScript execution in the context of the Admin account.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2 https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html https://www.exploit-db.com/exploits/42978/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4