CVE-2024-25637

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-25637

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25637.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-25637

Aliases

GHSA-rjw8-v7rr-r563

Published

2024-06-26T15:55:35Z

Modified

2025-10-21T02:34:25Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Reflected XSS via X-October-Request-Handler Header

Details

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.

References

https://github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "events": [
            {
                "introduced": "3.2"
            },
            {
                "fixed": "3.5.15"
            }
        ],
        "type": ""
    }
]