CVE-2023-44383 MEDIUM

CVE-2023-44383: October CMS stored XSS by authenticated backend user with improper configuration

Vendor Octobercms
Product october
Weakness CWE-79 · XSS
Published November 29, 2023
Last update June 5, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2.

Key dates

02Disclosure timeline

November 29, 2023 CVE published
June 5, 2025 Record updated