Miggo Logo
Miggo Vulnerability Database
CVE-2015-5612

CVE-2015-5612: October CMS XSS In Caption Tag of Profile

N/A

CVSS Score

Basic Information

CVE ID
CVE-2015-5612
GHSA ID
GHSA-9hq8-v2jc-qj4r
EPSS Score
0.48912%
CWE
CWE-79
Published
5/17/2022
Updated
8/13/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
october/octobercomposer< 1.0.3191.0.319

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit 8a4ac53 shows added HTML escaping (e() function) around title/file_name output in multiple file upload templates. The vulnerability manifests in profile image caption handling, which uses these templates. Before the patch, user-controlled title values were directly interpolated into HTML without sanitization, enabling XSS when administrators view malicious user profiles. The affected partial templates (_image_single.htm and _image_multi.htm) are clearly identified in the diff as the vulnerable points where output encoding was missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in O*to**r *MS *uil* *** *n* **rli*r *llows r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML vi* t** **ption t** o* * pro*il* im***.

Reasoning

T** *ommit ******* s*ows ***** *TML *s**pin* (*() *un*tion) *roun* titl*/*il*_n*m* output in multipl* *il* uplo** t*mpl*t*s. T** vuln*r**ility m*ni**sts in pro*il* im*** **ption **n*lin*, w*i** us*s t**s* t*mpl*t*s. ***or* t** p*t**, us*r-*ontroll**