CVE-2015-5612: October CMS XSS In Caption Tag of Profile
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.48912%
CWE
Published
5/17/2022
Updated
8/13/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
-
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| october/october | composer | < 1.0.319 | 1.0.319 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The commit 8a4ac53 shows added HTML escaping (e() function) around title/file_name output in multiple file upload templates. The vulnerability manifests in profile image caption handling, which uses these templates. Before the patch, user-controlled title values were directly interpolated into HTML without sanitization, enabling XSS when administrators view malicious user profiles. The affected partial templates (_image_single.htm and _image_multi.htm) are clearly identified in the diff as the vulnerable points where output encoding was missing.