
October CMS 3.4.16 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code via a crafted payload in the installation process.

October CMS Reflected XSS v3.4.16

Author: (Sergio)

Description: Cross-Site Scripting (XSS) vulnerabilitiy in installation of October v.3.4.16 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.

Attack Vectors: A vulnerability in the installation sanitation in the dbhost field allows JavaScript code to be injected.


During the installation process we enter the XSS payload in dbhost field and when we click on next, we will obtain the XSS pop-up

XSS Payload:


XSS Dbhost payload

In the following image you can see the embedded code that executes the payload in the instalaltion process.


Additional Information:

