CVE-2024-51991

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-51991

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51991.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-51991

Aliases

GHSA-96hh-8hx5-cpw7

Published

2025-05-05T17:04:53Z

Modified

2025-10-21T02:35:12Z

Severity

1.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U CVSS Calculator

Summary

October CMS Allows Unprotected SVG Rename in Media Manager

Details

October is a Content Management System (CMS) and web platform. A vulnerability in versions prior to 3.7.5 affects authenticated administrators with sites that have the media.clean_vectors configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. This issue has been patched in v3.7.5.

References

https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "3.7.5"
            }
        ],
        "type": ""
    }
]