CVE-2017-15284 – october/rain

Package

Manager: composer
Name: october/rain
Vulnerable Version: >=0 <1.0.426

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01729 pctl0.81716

Details

OctoberCMS Cross-Site Scripting Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Metadata

Created: 2022-05-13T01:24:45Z
Modified: 2025-04-23T02:22:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gvgf-fp4m-2hw6/GHSA-gvgf-fp4m-2hw6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-gvgf-fp4m-2hw6
Finding: F425
Auto approve: 1