CVE-2017-15284 - OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting

Security Advisory: CVE-2017-15284 - OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting

OVERVIEW

Severity Rating: High

Confirmed Affected Versions: 1.0.425 (aka Build 425)

Confirmed Patched Versions: Build 426

Vendor: OctoberCMS

Vendor URL: https://octobercms.com/

Vector: Remote

Status: Public

CVE: CVE-2017-15284

ExploitDB URL: https://www.exploit-db.com/exploits/42978/

PRODUCT DESCRIPTION

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A simple and modular CMS that grows with you, with a precise and beautiful interface that comes as second nature.

OctoberCMS is developed and maintained by Alexey Bobkov and Samuel Georges

SUMMARY AND IMPACT

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

In OctoberCMS a least privileged user can change his profile picture (Avatar) by uploading an image file from his local system, however he can also upload a Scalable Vector Graphics (SVG) file as his profile picture. During this research I found that we can execute JavaScript code via SVG files. Thanks to @brutelogic .

When an Administrator of the OctoberCMS accesses and clicks on the avatar of this least privileged user, administrator has an option to open the image in a new tab by clicking on “Attachment URL” which will then execute the JavaScript code via the SVG file.

PROOF OF CONCEPT
https://www.youtube.com/watch?v=oLqfbrDhFlc

WORKAROUNDS

There is no workaround except for updating to the latest version of OctoberCMS from here

Advisory Update: November 01, 2017