October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.
Metrics
Affected Vendors & Products
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 29 Sep 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:* |

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2024-08-01T23:44:09.889Z
Reserved: 2024-02-08T22:26:33.513Z
Link: CVE-2024-25637

Updated: 2024-08-01T23:44:09.889Z

Status : Analyzed
Published: 2024-06-26T16:15:10.910
Modified: 2025-09-29T14:09:16.227
Link: CVE-2024-25637

No data.

Updated: 2025-07-12T22:15:49Z