CVE-2017-15284 - OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting
Security Advisory: CVE-2017-15284 - OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting
OVERVIEW
Severity Rating: High
Confirmed Affected Versions: 1.0.425 (aka Build 425)
Confirmed Patched Versions: Build 426
Vendor: OctoberCMS
Vendor URL: https://octobercms.com/
Vector: Remote
Status: Public
CVE: CVE-2017-15284
ExploitDB URL: https://www.exploit-db.com/exploits/42978/
PRODUCT DESCRIPTION
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A simple and modular CMS that grows with you, with a precise and beautiful interface that comes as second nature.
OctoberCMS is developed and maintained by Alexey Bobkov and Samuel Georges
SUMMARY AND IMPACT
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
In OctoberCMS a least privileged user can change his profile picture (Avatar) by uploading an image file from his local system, however he can also upload a Scalable Vector Graphics (SVG) file as his profile picture. During this research I found that we can execute JavaScript code via SVG files. Thanks to @brutelogic .
When an Administrator of the OctoberCMS accesses and clicks on the avatar of this least privileged user, administrator has an option to open the image in a new tab by clicking on “Attachment URL” which will then execute the JavaScript code via the SVG file.
PROOF OF CONCEPT
https://www.youtube.com/watch?v=oLqfbrDhFlc
WORKAROUNDS
There is no workaround except for updating to the latest version of OctoberCMS from here
Advisory Update: November 01, 2017