Filtered by vendor Octobercms
Subscriptions
Filtered by product October
Subscriptions
Total
46 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-44382 | 1 Octobercms | 1 October | 2024-08-02 | 9.1 Critical |
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This issue has been patched in 3.4.15. | ||||
CVE-2023-44383 | 1 Octobercms | 1 October | 2024-08-02 | 5.4 Medium |
October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2. | ||||
CVE-2023-44381 | 1 Octobercms | 1 October | 2024-08-02 | 4.9 Medium |
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can craft a special request to include PHP code in the CMS template. This issue has been patched in version 3.4.15. | ||||
CVE-2023-43876 | 1 Octobercms | 1 October | 2024-08-02 | 5.4 Medium |
A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field. | ||||
CVE-2023-37692 | 1 Octobercms | 1 October | 2024-08-02 | 5.4 Medium |
An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file. | ||||
CVE-2023-25365 | 1 Octobercms | 1 October | 2024-08-02 | 7.8 High |
Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3 |