GHSA-rjw8-v7rr-r563

Suggest an improvement
Source
https://github.com/advisories/GHSA-rjw8-v7rr-r563
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-rjw8-v7rr-r563/GHSA-rjw8-v7rr-r563.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rjw8-v7rr-r563
Aliases
  • CVE-2024-25637
Published
2024-06-26T14:08:31Z
Modified
2024-06-26T19:31:48Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
October System module has a Reflected XSS via X-October-Request-Handler Header
Details

Impact

The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.

Patches

This issue has been patched in v3.5.15.

References

Credits to: - Mayank Mehra

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

References

Affected packages

Packagist / october/system

Package

Name
october/system
Purl
pkg:composer/october/system

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2
Fixed
3.5.15