CVE-2024-25637 — October System module has a Reflected XSS via X-October-Request-Handler Header

Description

### Impact The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. ### Patches This issue has been patched in v3.5.15. ### References Credits to: - [Mayank Mehra](mailto:[email protected]) ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2024-25637

To remediate CVE-2024-25637, upgrade the affected package to a fixed version below.

—upgrade to 3.5.15 or later

Is CVE-2024-25637 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 3.2, < 3.5.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25637
PATCHgithub.com/octobercms/october
WEBgithub.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563