Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yanc4LXY3cnItcjU2M84AA9Xl

October System module has a Reflected XSS via X-October-Request-Handler Header

Impact

The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.

Patches

This issue has been patched in v3.5.15.

References

Credits to:

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-rjw8-v7rr-r563
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yanc4LXY3cnItcjU2M84AA9Xl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 18 days ago
Updated: 18 days ago


CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-rjw8-v7rr-r563, CVE-2024-25637
References: Repository: https://github.com/octobercms/october
Blast Radius: 7.8

Affected Packages

packagist:october/system
Dependent packages: 37
Dependent repositories: 340
Downloads: 1,002,689 total
Affected Version Ranges: >= 3.2, < 3.5.15
Fixed in: 3.5.15
All affected versions:
All unaffected versions: 1.0.319, 1.0.320, 1.0.321, 1.0.322, 1.0.323, 1.0.324, 1.0.325, 1.0.326, 1.0.327, 1.0.328, 1.0.329, 1.0.330, 1.0.331, 1.0.332, 1.0.333, 1.0.334, 1.0.335, 1.0.336, 1.0.337, 1.0.338, 1.0.339, 1.0.340, 1.0.341, 1.0.342, 1.0.343, 1.0.344, 1.0.345, 1.0.346, 1.0.347, 1.0.348, 1.0.349, 1.0.350, 1.0.351, 1.0.352, 1.0.353, 1.0.354, 1.0.355, 1.0.356, 1.0.357, 1.0.358, 1.0.359, 1.0.360, 1.0.361, 1.0.362, 1.0.363, 1.0.364, 1.0.365, 1.0.366, 1.0.367, 1.0.368, 1.0.369, 1.0.370, 1.0.371, 1.0.372, 1.0.373, 1.0.374, 1.0.375, 1.0.376, 1.0.377, 1.0.378, 1.0.379, 1.0.380, 1.0.381, 1.0.382, 1.0.383, 1.0.384, 1.0.385, 1.0.386, 1.0.387, 1.0.388, 1.0.389, 1.0.390, 1.0.391, 1.0.392, 1.0.393, 1.0.394, 1.0.395, 1.0.396, 1.0.397, 1.0.398, 1.0.399, 1.0.400, 1.0.401, 1.0.402, 1.0.403, 1.0.404, 1.0.405, 1.0.406, 1.0.407, 1.0.408, 1.0.409, 1.0.410, 1.0.411, 1.0.412, 1.0.413, 1.0.414, 1.0.415, 1.0.416, 1.0.417, 1.0.418, 1.0.419, 1.0.420, 1.0.421, 1.0.422, 1.0.423, 1.0.424, 1.0.425, 1.0.426, 1.0.427, 1.0.428, 1.0.429, 1.0.430, 1.0.431, 1.0.432, 1.0.433, 1.0.434, 1.0.435, 1.0.436, 1.0.437, 1.0.438, 1.0.439, 1.0.440, 1.0.441, 1.0.442, 1.0.443, 1.0.444, 1.0.445, 1.0.446, 1.0.447, 1.0.448, 1.0.449, 1.0.450, 1.0.451, 1.0.452, 1.0.453, 1.0.454, 1.0.455, 1.0.456, 1.0.457, 1.0.458, 1.0.459, 1.0.460, 1.0.461, 1.0.462, 1.0.463, 1.0.464, 1.0.465, 1.0.466, 1.0.467, 1.0.468, 1.0.469, 1.0.470, 1.0.471, 1.0.472, 1.0.473, 1.0.474, 1.0.475, 1.0.476, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.9, 1.1.10, 1.1.11, 1.1.12