Improper Neutralization of Alternate XSS Syntax
CVE-2020-5298
Summary
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).
- LOW
- NETWORK
- LOW
- CHANGED
- REQUIRED
- HIGH
- LOW
- NONE
CWE-87 - Improper Neutralization of Alternate XSS Syntax
The software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
References
Advisory Timeline
- Published