from 0, < 1.0.472
CRITICAL9.1CVE-2023-44382October CMS safe mode bypass using Twig sandbox escape >= 3.0.0, < 3.4.15
HIGH8.8october/system arbitrary code execution
>= 1.1.0, < 1.1.6
HIGH8.8October/System authenticated file write leads to remote code execution
>= 1.1.0, < 1.1.6
HIGH8.1October CMS upload process vulnerable to RCE via Race Condition
from 0, < 1.0.476
HIGH7.4October CMS auth bypass and account takeover
from 0, < 1.0.472
HIGH7.2October CMS Safe Mode bypass leads to authenticated Remote Code Execution
>= 2.0.0, < 2.2.34
HIGH7.2Authenticated remote code execution in October CMS
from 0, < 1.0.474
HIGH7.2Deleted Admin Can Sign In to Admin Interface
>= 2.1.0, < 2.1.12
MEDIUM6.1October CMS Vulnerable to Stored XSS via Branding Styles
from 0, < 3.7.13
MEDIUM6.1October CMS Vulnerable to Stored XSS via Editor and Branding Styles
from 0, < 3.7.13
MEDIUM5.4October CMS has Stored XSS in Event Log Mail Preview
>= 4.0.0, < 4.1.10
MEDIUM5.4October CMS has Stored XSS in Backend Editor Markup Classes
>= 4.0.0, < 4.1.10
MEDIUM5.4October CMS stored XSS by authenticated backend user with improper configuration
>= 3.0.0, < 3.5.2
MEDIUM4.9October CMS has Safe Mode Bypass via CSS Preprocessor Compilers
from 0, < 3.7.14
MEDIUM4.9October CMS safe mode bypass using Page template injection
>= 3.0.0, < 3.4.15
MEDIUM4.8Missing server signature validation in OctoberCMS
>= 1.1.0, < 1.1.11
LOW3.5October System module has an Open Redirect for Administrator Accounts
>= 3.2, < 3.5.15
LOW3.3October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
>= 4.0.0, < 4.1.16
LOW3.1October CMS: Reflected XSS via DataTable Form Widget
from 0, < 3.7.16
LOW3.1October System module has a Reflected XSS via X-October-Request-Handler Header
>= 3.2, < 3.5.15
—October CMS Allows Unprotected SVG Rename in Media Manager
from 0, < 3.7.5