CVE-2024-24764
LOW3.5EPSS 0.10%October System module has an Open Redirect for Administrator Accounts
Description
### Impact This advisory affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema (`october://`) allowed external links, therefore allowing an open redirect outside the scope of the active host. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. ### Patches This issue has been patched in v3.5.15. ### References Credits to: - [Benzetaa](https://github.com/benzetaa/) ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- Packagist/october/system>= 3.2, < 3.5.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L |