CVE-2024-51991: October CMS Allows Unprotected SVG Rename in Media Manager

May 5, 2025

This advisory affects authenticated administrators with sites that have the media.clean_vectors configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension.

This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user.

References

github.com/advisories/GHSA-96hh-8hx5-cpw7
github.com/octobercms/october
github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7
nvd.nist.gov/vuln/detail/CVE-2024-51991

Code Behaviors & Features

Detect and mitigate CVE-2024-51991 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →