Medium severity5.4NVD Advisory· Published Oct 12, 2017· Updated May 13, 2026

CVE-2017-15284

Description

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
october/rainPackagist	< 1.0.426	1.0.426

Affected products

Octobercms/October
cpe:2.3:a:octobercms:october:1.0.425:*:*:*:*:*:*:*

Patches

3bbbbf3da469

Remove SVG from image types

https://github.com/octobercms/librarySamuel GeorgesOct 9, 2017via ghsa

commit

1 file changed · +1 −2

src/Filesystem/Definitions.php+1 −2 modified

@@ -182,8 +182,7 @@ protected function imageExtensions()
             'bmp',
             'png',
             'webp',
-            'gif',
-            'svg'
+            'gif'
         ];
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2nvdPatchThird Party AdvisoryWEB
packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
www.exploit-db.com/exploits/42978/nvdExploitThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-gvgf-fp4m-2hw6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-15284ghsaADVISORY
www.exploit-db.com/exploits/42978ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.001
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000