Packagist (Composer) package
october/rain
pkg:composer/october/rain
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-25133 | Med | 4.8 | >= 4.0.0, < 4.1.10 | 4.1.10 | Apr 14, 2026 | October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could b | |
| CVE-2026-25125 | Med | 4.9 | >= 4.0.0, < 4.1.10 | 4.1.10 | Apr 14, 2026 | October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpo | |
| CVE-2026-22692 | Med | 4.9 | >= 4.0.0, < 4.1.5 | 4.1.5 | Apr 14, 2026 | October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restri | |
| CVE-2021-3311 | — | < 1.0.472 | 1.0.472 | Feb 5, 2021 | An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID | ||
| CVE-2020-15128 | — | >= 1.0.319, < 1.0.468 | 1.0.468 | Jul 31, 2020 | In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core pr | ||
| CVE-2017-15284 | Med | 5.4 | < 1.0.426 | 1.0.426 | Oct 12, 2017 | Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account. |
- affected >= 4.0.0, < 4.1.10fixed 4.1.10
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could b
- affected >= 4.0.0, < 4.1.10fixed 4.1.10
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpo
- affected >= 4.0.0, < 4.1.5fixed 4.1.5
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restri
- CVE-2021-3311Feb 5, 2021affected < 1.0.472fixed 1.0.472
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new login occurs. NOTE: this violates the intended Auth/Manager.php authentication behavior but, admittedly, is only relevant if an old session ID
- CVE-2020-15128Jul 31, 2020affected >= 1.0.319, < 1.0.468fixed 1.0.468
In OctoberCMS before version 1.0.468, encrypted cookie values were not tied to the name of the cookie the value belonged to. This meant that certain classes of attacks that took advantage of other theoretical vulnerabilities in user facing code (nothing exploitable in the core pr
- affected < 1.0.426fixed 1.0.426
Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.