{"id":"CVE-2017-15284","details":"Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.","aliases":["GHSA-gvgf-fp4m-2hw6"],"modified":"2026-04-11T15:43:37.187071Z","published":"2017-10-12T08:29:00.570Z","references":[{"type":"FIX","url":"https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2"},{"type":"EVIDENCE","url":"https://packetstormsecurity.com/files/144587/OctoberCMS-1.0.425-Cross-Site-Scripting.html"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/42978/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/octobercms/library","events":[{"introduced":"0"},{"fixed":"3bbbbf3da469f457881b5af902eb0b89b95189a2"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v1.0.319","v1.0.320","v1.0.321","v1.0.322","v1.0.323","v1.0.324","v1.0.325","v1.0.327","v1.0.328","v1.0.329","v1.0.330","v1.0.331","v1.0.332","v1.0.333","v1.0.334","v1.0.335","v1.0.336","v1.0.337","v1.0.338","v1.0.339","v1.0.340","v1.0.341","v1.0.342","v1.0.343","v1.0.344","v1.0.345","v1.0.346","v1.0.347","v1.0.351","v1.0.352","v1.0.353","v1.0.354","v1.0.355","v1.0.356","v1.0.357","v1.0.358","v1.0.359","v1.0.360","v1.0.361","v1.0.362","v1.0.363","v1.0.364","v1.0.365","v1.0.366","v1.0.367","v1.0.370","v1.0.371","v1.0.372","v1.0.373","v1.0.374","v1.0.375","v1.0.376","v1.0.377","v1.0.378","v1.0.379","v1.0.380","v1.0.381","v1.0.382","v1.0.383","v1.0.384","v1.0.385","v1.0.386","v1.0.387","v1.0.388","v1.0.389","v1.0.390","v1.0.391","v1.0.392","v1.0.393","v1.0.394","v1.0.395","v1.0.396","v1.0.397","v1.0.398","v1.0.399","v1.0.400","v1.0.401","v1.0.402","v1.0.403","v1.0.404","v1.0.405","v1.0.406","v1.0.407","v1.0.408","v1.0.409","v1.0.410","v1.0.411","v1.0.412","v1.0.413","v1.0.414","v1.0.415","v1.0.416","v1.0.417","v1.0.418","v1.0.420","v1.0.421","v1.0.422","v1.0.423","v1.0.424","v1.0.425"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-15284.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/octobercms/october","events":[{"introduced":"0"},{"last_affected":"93a2898379c5267607a939a60ad4b366d97a079d"}],"database_specific":{"cpe":"cpe:2.3:a:octobercms:october:1.0.425:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.0.425"}]}}],"versions":["v1.0.319","v1.0.320","v1.0.321","v1.0.322","v1.0.323","v1.0.324","v1.0.325","v1.0.326","v1.0.327","v1.0.328","v1.0.329","v1.0.330","v1.0.331","v1.0.333","v1.0.334","v1.0.338","v1.0.340","v1.0.341","v1.0.342","v1.0.343","v1.0.344","v1.0.345","v1.0.346","v1.0.351","v1.0.352","v1.0.353","v1.0.354","v1.0.355","v1.0.356","v1.0.358","v1.0.359","v1.0.360","v1.0.361","v1.0.362","v1.0.363","v1.0.364","v1.0.365","v1.0.366","v1.0.367","v1.0.370","v1.0.371","v1.0.372","v1.0.373","v1.0.374","v1.0.375","v1.0.376","v1.0.377","v1.0.378","v1.0.379","v1.0.380","v1.0.381","v1.0.382","v1.0.383","v1.0.384","v1.0.385","v1.0.386","v1.0.387","v1.0.388","v1.0.389","v1.0.390","v1.0.391","v1.0.392","v1.0.393","v1.0.394","v1.0.395","v1.0.396","v1.0.397","v1.0.398","v1.0.399","v1.0.400","v1.0.401","v1.0.402","v1.0.403","v1.0.404","v1.0.405","v1.0.406","v1.0.407","v1.0.408","v1.0.409","v1.0.410","v1.0.411","v1.0.412","v1.0.413","v1.0.414","v1.0.415","v1.0.416","v1.0.417","v1.0.418","v1.0.419","v1.0.420","v1.0.421","v1.0.422","v1.0.423","v1.0.424","v1.0.425"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-15284.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}