October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 29 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-08-01T23:44:09.889Z

Reserved: 2024-02-08T22:26:33.513Z

Link: CVE-2024-25637

cve-icon Vulnrichment

Updated: 2024-08-01T23:44:09.889Z

cve-icon NVD

Status : Analyzed

Published: 2024-06-26T16:15:10.910

Modified: 2025-09-29T14:09:16.227

Link: CVE-2024-25637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T22:15:49Z