CVE-2024-51991
📋 TL;DR
This vulnerability allows authenticated administrators in October CMS to bypass SVG file sanitization by uploading files with permitted extensions (like .jpg) and later renaming them to .svg. It affects sites with the media.clean_vectors configuration enabled and requires attacker access to the administration panel plus interaction from another trusted user.
💻 Affected Systems
- October CMS
📦 What is this software?
October by Octobercms
⚠️ Risk & Real-World Impact
Worst Case
Malicious SVG files could be uploaded and executed, potentially leading to cross-site scripting (XSS) attacks or other client-side attacks against users viewing the SVG content.
Likely Case
Limited impact due to requiring authenticated administrator access and specific configuration; most likely used for targeted attacks between trusted users rather than widespread exploitation.
If Mitigated
With proper access controls and monitoring, impact is minimal as it requires privileged access and specific configuration settings.
🎯 Exploit Status
Requires authenticated administrator access and specific configuration; attacker needs to trick another user into interacting with the renamed file
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.5
Vendor Advisory: https://github.com/octobercms/october/security/advisories/GHSA-96hh-8hx5-cpw7
Restart Required: No
Instructions:
1. Backup your October CMS installation and database. 2. Update to version 3.7.5 or later via composer: composer require october/october:^3.7.5. 3. Run php artisan october:up to apply any necessary migrations.
🔧 Temporary Workarounds
Disable media.clean_vectors configuration
allTemporarily disable the vulnerable SVG sanitization feature
Edit config/media.php and set 'clean_vectors' => false
Restrict file upload extensions
allLimit allowed file extensions in media manager to exclude SVG
Edit config/media.php and modify 'allowed_extensions' array to exclude 'svg'
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts
- Monitor and audit file upload activities in the media manager
🔍 How to Verify
Check if Vulnerable:
Check if running October CMS version < 3.7.5 and if config/media.php has 'clean_vectors' => trueCheck Version:
php artisan october:versionVerify Fix Applied:
Verify version is 3.7.5 or higher and test SVG upload sanitization functionality📡 Detection & Monitoring
Log Indicators:
- Multiple file uploads with same content but different extensions
- File rename operations in media manager
- SVG file uploads from administrator accounts
Network Indicators:
- Unusual file upload patterns to media endpoints
SIEM Query:
source="octobercms" AND (event="file_upload" OR event="file_rename") AND (extension="svg" OR extension="jpg" OR extension="png")