CVE-2020-5298— Reflected XSS when importing CSV in OctoberCMS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-5298
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Reflected XSS when importing CSV in OctoberCMS
Source: NVD (National Vulnerability Database)
Vulnerability Description
In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
替代XSS语法转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
October CMS 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
October CMS是一套基于PHP和Laravel Web应用程序框架的开源内容管理系统(CMS)。 October CMS(composer)1.0.319及之后版本(已在1.0.466版本中修复)中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| octobercms | october | >= 1.0.319, < 1.0.466 | - |
II. Public POCs for CVE-2020-5298
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-5298
请登录查看更多情报信息。
Same Patch Batch · octobercms · 2020-06-03 · 5 CVEs total
| CVE-2020-5296 | 6.2 MEDIUM | Arbitrary File Deletion vulnerability in OctoberCMS |
| CVE-2020-5295 | 4.8 MEDIUM | Local File read vulnerability in OctoberCMS |
| CVE-2020-5299 | 4.0 MEDIUM | Potential CSV Injection vector in OctoberCMS |
| CVE-2020-5297 | 3.4 LOW | Upload whitelisted files to any directory in OctoberCMS |
IV. Related Vulnerabilities
Same product: october
- CVE-2026-29179
October: Editor Sub-Permission Bypass for Asset and Blueprin - CVE-2026-27937
October: Reflected XSS via DataTable Form Widget - CVE-2026-26274
October: Safe Mode Bypass via Twig Database Write Operations - CVE-2026-26067
October: Safe Mode Bypass via CSS Preprocessor Compilers - CVE-2026-25133
October CMS has Stored XSS via SVG Filter Bypass
Same vendor: octobercms
- CVE-2026-29179
October: Editor Sub-Permission Bypass for Asset and Blueprin - CVE-2026-27937
October: Reflected XSS via DataTable Form Widget - CVE-2026-26274
October: Safe Mode Bypass via Twig Database Write Operations - CVE-2026-26067
October: Safe Mode Bypass via CSS Preprocessor Compilers - CVE-2026-25133
October CMS has Stored XSS via SVG Filter Bypass
Same weakness: CWE-87
- CVE-2026-42235
n8n: XSS via MCP OAuth client - CVE-2026-40321
DotNetNuke.Core has stored cross-site-scripting (XSS) via SV - CVE-2025-14732
Elementor Website Builder <= 3.35.5 - Authenticated (Contrib - CVE-2026-22711
Stored XSS through system messages in WikiLove - CVE-2026-33510
DOM-Based XSS in Homarr /auth/login Redirect
V. Comments for CVE-2020-5298
No comments yet