Cross-Site Request Forgery in OctoberCMS by October
CVE-2017-16244

8.8HIGH

Key Information:

Vendor

Octobercms

Status
October
Vendor
CVE Published:
1 November 2017

What is CVE-2017-16244?

A Cross-Site Request Forgery (CSRF) vulnerability exists in OctoberCMS version 1.0.426 due to inadequate validation of CSRF tokens during postback handling. This flaw allows attackers to bypass security measures associated with X-CSRF headers and CSRF tokens by exploiting a specific _handler postback variable. As a result, malicious actors could potentially compromise user accounts without proper authorization, posing significant risks to web application security.

References

https://github.com/octobercms/october/commit/4a6e0e1e0e2c...
x_refsource_CONFIRM
https://www.exploit-db.com/exploits/43106/
exploitx_refsource_EXPLOIT-DB

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.