CVE-2020-5298 MEDIUM

CVE-2020-5298: Reflected XSS when importing CSV in OctoberCMS

Vendor Octobercms
Product october
Weakness CWE-87
Published June 3, 2020
Last update August 4, 2024

CVSS base score

4.0/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).

Key dates

02Disclosure timeline

June 3, 2020 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE