CVE-2023-37692

Name of the Vulnerable Software and Affected Versions October CMS version 3.4.4

Description The issue allows attackers to execute arbitrary code via a crafted file, specifically an svg file, which can be uploaded to the system. This can be done in the context of a browser and requires the attacker to be authenticated as a user.

Recommendations For October CMS version 3.4.4, consider disabling the file upload feature, especially for svg files, until a patch is available to prevent arbitrary code execution. Restrict access to the file upload module to minimize the risk of exploitation. Avoid using the file upload functionality with untrusted files or sources until the issue is resolved.