Low severityNVD Advisory· Published Jun 26, 2024· Updated Aug 1, 2024

October Open Redirect for Administrator Accounts

CVE-2024-24764

Description

October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (october://) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability has been patched in version 3.5.15.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
october/systemPackagist	>= 3.2, < 3.5.15	3.5.15

Affected products

Octobercms/Octoberv5
Range: >= 3.2, < 3.5.15

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-v2vf-jv88-3fp5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-24764ghsaADVISORY
github.com/octobercms/october/security/advisories/GHSA-v2vf-jv88-3fp5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000