CVE-2024-25637

Name of the Vulnerable Software and Affected Versions October versions prior to 3.5.15

Description The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this issue cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.

Recommendations For versions prior to 3.5.15, update to version 3.5.15 to resolve the issue. As a temporary workaround, consider restricting access to the X-October-Request-Handler Header to minimize the risk of exploitation.