CVE-2024-25637

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.
Configurations

No configuration.

History

21 Nov 2024, 09:01

Type Values Removed Values Added
References () https://github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563 - () https://github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563 -

27 Jun 2024, 12:47

Type Values Removed Values Added
Summary
  • (es) October es una plataforma CMS autohospedada basada en Laravel PHP Framework. El encabezado X-October-Request-Handler no sanitiza el nombre del controlador AJAX y permite que se refleje HTML sin escape. No hay ningún impacto ya que esta vulnerabilidad no se puede explotar mediante interacciones normales del navegador. Este valor sin escape solo es detectable cuando se utiliza una herramienta de interceptación de proxy. Este problema se solucionó en la versión 3.5.15.

26 Jun 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-26 16:15

Updated : 2024-11-21 09:01


NVD link : CVE-2024-25637

Mitre link : CVE-2024-25637

CVE.ORG link : CVE-2024-25637


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')