CVE-2024-25637: October System module has a Reflected XSS via X-October-Request-Handler Header

June 26, 2024

The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool.

References

github.com/advisories/GHSA-rjw8-v7rr-r563
github.com/octobercms/october
github.com/octobercms/october/security/advisories/GHSA-rjw8-v7rr-r563
nvd.nist.gov/vuln/detail/CVE-2024-25637

Detect and mitigate CVE-2024-25637 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →