Medium severity5.4NVD Advisory· Published Oct 12, 2017· Updated Jun 17, 2026
CVE-2017-15284
CVE-2017-15284
Description
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/rainPackagist | < 1.0.426 | 1.0.426 |
Affected products
2- cpe:2.3:a:octobercms:october:1.0.425:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
6- github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2nvdPatchThird Party AdvisoryWEB
- packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.htmlnvdExploitThird Party AdvisoryVDB EntryWEB
- www.exploit-db.com/exploits/42978/nvdExploitThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-gvgf-fp4m-2hw6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15284ghsaADVISORY
- www.exploit-db.com/exploits/42978ghsaWEB
News mentions
0No linked articles in our index yet.