CVE-2024-25637

LOW Year: 2024
CVSS v3 Score
3.1
Low
Weakness Type
CWE-79
View all →

Vulnerability Description

October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15.

Related Vulnerabilities

CVE-2016-7239

LOW
CVSS:3.1(Low)

The RegEx class in the XSS filter in Microsoft Internet Explorer 9 through 11 and Microsoft Edge allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive information ...

CWE-792016

CVE-2019-11291

LOW
CVSS:3.1(Low)

Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, feder...

CWE-792019

CVE-2023-48679

LOW
CVSS:3.1(Low)

Stored cross-site scripting (XSS) vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 37391.

CWE-792023

CVE-2024-28866

LOW
CVSS:3.1(Low)

GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23.5.0 (inclusive) are potentially vulnerable to a reflected cross-site scripting vulnerability on the loading page displayed while G...

CWE-792024

CVE-2024-43411

LOW
CVSS:3.1(Low)

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A theoretical vulnerability has been identified in CKEditor 4.22 (and above). In a highly unlikely scenario where an attacker gain...

CWE-792024