Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-rjw8-v7rr-r563: October System module has a Reflected XSS via X-October-Request-Handler Header

Impact

The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.

Patches

This issue has been patched in v3.5.15.

References

Credits to:

For more information

If you have any questions or comments about this advisory:

ghsa
#xss#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-25637

October System module has a Reflected XSS via X-October-Request-Handler Header

Low severity GitHub Reviewed Published Jun 25, 2024 in octobercms/october • Updated Jun 26, 2024

Package

composer october/system (Composer)

Affected versions

>= 3.2, < 3.5.15

Impact

The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.

Patches

This issue has been patched in v3.5.15.

References

Credits to:

  • Mayank Mehra

For more information

If you have any questions or comments about this advisory:

References

  • GHSA-rjw8-v7rr-r563

Published to the GitHub Advisory Database

Jun 26, 2024

Last updated

Jun 26, 2024

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution