GHSA-rjw8-v7rr-r563
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rjw8-v7rr-r563
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-rjw8-v7rr-r563/GHSA-rjw8-v7rr-r563.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rjw8-v7rr-r563
- Aliases
-
- CVE-2024-25637
- Published
- 2024-06-26T14:08:31Z
- Modified
- 2024-06-26T19:31:48Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- October System module has a Reflected XSS via X-October-Request-Handler Header
- Details
-
Impact
The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.
Patches
This issue has been patched in v3.5.15.
References
Credits to: - Mayank Mehra
For more information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
- Database specific
{ "nvd_published_at": "2024-06-26T16:15:10Z", "cwe_ids": [ "CWE-79" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-06-26T14:08:31Z" }- References
Affected packages
Packagist / october/system
Package
- Name
- october/system
- Purl
- pkg:composer/october/system