CVE-2017-15284

{"id": "CVE-2017-15284", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2017-10-12T08:29:00.570", "references": [{"url": "https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/42978/", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account."}, {"lang": "es", "value": "Existe Cross-Site Scripting (XSS) en OctoberCMS 1.0.425 (tambi\u00e9n conocido como Build 425), permitiendo que un usuario con los privilegios m\u00e1s bajos suba un archivo SVG que contenga c\u00f3digo malicioso como el Avatar para el perfil. Cuando el Admin lo abre, provoca que se ejecute c\u00f3digo JavaScript en el contexto de la cuenta Admin."}], "lastModified": "2020-08-03T12:15:45.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:1.0.425:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "826F823D-1B29-490D-9C02-3D26A45C1BEE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}