Skip to main content

Improper Neutralization of Alternate XSS Syntax

CVE-2020-5298

Severity Medium
Score 4.8/10

Summary

In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).

  • LOW
  • NETWORK
  • LOW
  • CHANGED
  • REQUIRED
  • HIGH
  • LOW
  • NONE

CWE-87 - Improper Neutralization of Alternate XSS Syntax

The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.

References

Advisory Timeline

  • Published