High severity8.8NVD Advisory· Published Nov 1, 2017· Updated Jun 17, 2026
CVE-2017-16244
CVE-2017-16244
Description
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/octoberPackagist | < 1.0.427 | 1.0.427 |
Affected products
2- cpe:2.3:a:octobercms:october:1.0.426:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
5- github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0nvdPatchThird Party AdvisoryWEB
- www.exploit-db.com/exploits/43106/nvdExploitThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-vm6r-4p4v-232xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16244ghsaADVISORY
- www.exploit-db.com/exploits/43106ghsaWEB
News mentions
0No linked articles in our index yet.