CVE-2017-15284

Name of the Vulnerable Software and Affected Versions OctoberCMS version 1.0.425

Description The issue allows a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Recommendations For OctoberCMS version 1.0.425, consider restricting the upload of SVG files or disabling the ability to set custom Avatars until a fix is available. Additionally, restrict access to the profile management feature to minimize the risk of exploitation.