CVE-2023-43876 – october/cms

Package

Manager: composer
Name: october/cms
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00261 pctl0.49289

Details

Withdrawn Advisory: October Cross-site Scripting vulnerability ## Withdrawn Advisory This advisory has been withdrawn because the vulnerability affects October CMS's installer, not October CMS. The installer deletes all folders and files upon completion of installation. The vulnerability is valid, but because October's installer is not part of one of the GitHub Advisory Database's [supported ecosystems](https://github.com/github/advisory-database/blob/main/README.md#supported-ecosystems), alerts cannot be sent out for the correct package. ## Corrected Description A Cross-Site Scripting (XSS) vulnerability in the installer of October CMS allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.

Metadata

Created: 2023-09-28T15:30:17Z
Modified: 2023-10-05T17:32:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-2g8p-j2r6-vqpj/GHSA-2g8p-j2r6-vqpj.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-2g8p-j2r6-vqpj
Finding: F008
Auto approve: 1