CVE-2015-5612

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

Published Bycve@mitre.org

Published DateSep 04, 2015, 15:59

Affected Versions(1)

october/october(Packagist)

Introduced0

Fixed1.0.319

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
october/october(Packagist)	0	1.0.319	N/A

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

http://www.openwall.com/lists/oss-security/2015/07/21/5
http://www.openwall.com/lists/oss-security/2015/07/22/3
https://github.com/octobercms/october/commit/8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9a
https://github.com/octobercms/october/issues/1302

Weakness Type (CWE):CWE-79

CVSS Metrics

Base Score

4.3

Vector String

AV:N/AC:M/Au:N/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE