Vulnerabilities > Octobercms

DATE CVE VULNERABILITY TITLE RISK
2017-11-17 CVE-2017-1000194 Unrestricted Upload of File with Dangerous Type vulnerability in Octobercms October
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site compromise and possibly other applications on the server.
network
low complexity
octobercms CWE-434
7.5
2017-11-17 CVE-2017-1000193 Cross-site Scripting vulnerability in Octobercms October
October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand logo image name resulting in JavaScript code execution in the victim's browser.
network
octobercms CWE-79
4.3
2017-11-01 CVE-2017-16244 Cross-Site Request Forgery (CSRF) vulnerability in Octobercms October 1.0.426
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account.
6.8
2017-10-12 CVE-2017-15284 Cross-site Scripting vulnerability in Octobercms October 1.0.425
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile.
network
octobercms CWE-79
3.5
2017-10-05 CVE-2017-1000119 Unrestricted Upload of File with Dangerous Type vulnerability in Octobercms October 1.0.412
October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise and possibly other applications on the server.
network
low complexity
octobercms CWE-434
6.5
2017-09-28 CVE-2015-5613 Cross-site Scripting vulnerability in Octobercms October
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving a file title, a different vulnerability than CVE-2015-5612.
network
octobercms CWE-79
3.5
2015-09-04 CVE-2015-5612 Cross-site Scripting vulnerability in Octobercms October
Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.
network
octobercms CWE-79
4.3