Moderate severityNVD Advisory· Published Sep 4, 2015· Updated May 6, 2026

CVE-2015-5612

Description

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
october/octoberPackagist	< 1.0.319	1.0.319

Affected products

Octobercms/October
cpe:2.3:a:octobercms:october:-:*:*:*:*:*:*:*

Patches

8a4ac533e5cd

Escape file title - Fixes #1302

https://github.com/octobercms/octoberSamuel GeorgesJul 22, 2015via ghsa

commit

4 files changed · +4 −4

modules/backend/formwidgets/fileupload/partials/_file_multi.htm+1 −1 modified

@@ -24,7 +24,7 @@
                 </div>
                 <div class="info">
                     <h4 class="filename">
-                        <span data-dz-name><?= $file->title ?: $file->file_name ?></span>
+                        <span data-dz-name><?= e($file->title ?: $file->file_name) ?></span>
                         <a
                             href="javascript:;"
                             class="upload-remove-button"

modules/backend/formwidgets/fileupload/partials/_file_single.htm+1 −1 modified

@@ -23,7 +23,7 @@
                 </div>
                 <div class="info">
                     <h4 class="filename">
-                        <span data-dz-name><?= $singleFile->title ?: $singleFile->file_name ?></span>
+                        <span data-dz-name><?= e($singleFile->title ?: $singleFile->file_name) ?></span>
                     </h4>
                     <p class="size"><?= e($singleFile->sizeToString()) ?></p>
                 </div>

modules/backend/formwidgets/fileupload/partials/_image_multi.htm+1 −1 modified

@@ -24,7 +24,7 @@
                 </div>
                 <div class="info">
                     <h4 class="filename">
-                        <span data-dz-name><?= $file->title ?: $file->file_name ?></span>
+                        <span data-dz-name><?= e($file->title ?: $file->file_name) ?></span>
                         <a
                             href="javascript:;"
                             class="upload-remove-button"

modules/backend/formwidgets/fileupload/partials/_image_single.htm+1 −1 modified

@@ -28,7 +28,7 @@
                 </div>
                 <div class="info">
                     <h4 class="filename">
-                        <span data-dz-name><?= $singleFile->title ?: $singleFile->file_name ?></span>
+                        <span data-dz-name><?= e($singleFile->title ?: $singleFile->file_name) ?></span>
                         <a
                             href="javascript:;"
                             class="upload-remove-button"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/octobercms/october/commit/8a4ac533e5cd6b8f92e9ef19fbfbb2f505dc7a9anvdPatchWEB
github.com/octobercms/october/issues/1302nvdPatchWEB
github.com/advisories/GHSA-9hq8-v2jc-qj4rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-5612ghsaADVISORY
www.openwall.com/lists/oss-security/2015/07/21/5nvdWEB
www.openwall.com/lists/oss-security/2015/07/22/3nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000