N/A

October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable via an Authenticated user with media module permission who can create arbitrary folder name (XSS). This vulnerability appears to have been fixed in build 437.

N/A

N/A

October CMS 跨站脚本漏洞

October CMS是加拿大软件开发者Alexey Bobkov和澳大利亚软件开发者Samuel Georges共同研发的一套开源的、自托管的建立在Laravel PHP框架基础上的内容管理系统（CMS）。Media module是其中的一个媒体内容管理模块。 October CMS Build 437之前版本中的Media模块和创建文件夹功能存在跨站脚本漏洞。远程攻击者可通过创建任意文件夹名称利用该漏洞控制管理员账户。

N/A

N/A