CVE-2020-5298

Summary

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).

Affected Software

VendorProductVersion RangeStatus
octobercmsoctober>= 1.0.319, < 1.0.466affected

Weaknesses

  • CWE-87: CWE-87: Improper Neutralization of Alternate XSS Syntax

ADP Enrichment

CVE Program Container

Additional References

References