CVE-2024-45962: 
PHP vulnerability analysis and mitigation

October 3.6.30 contains a stored Cross-Site Scripting (XSS) vulnerability that allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. The vulnerability was discovered and disclosed on October 2, 2024, and is tracked as CVE-2024-45962 (NVD, GrimTheRipper).

The vulnerability exists in the Media upload functionality of October CMS 3.6.30's admin interface, specifically in the /admin/media endpoint. When a PDF file containing malicious JavaScript code is uploaded through the Documents section, the application fails to properly sanitize the file content. The vulnerability has been assigned a CVSS v3.1 base score of 4.7 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) and is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

If a malicious PDF file is accessed through the website, it could lead to Cross-Site Scripting (XSS) attacks or execute arbitrary JavaScript code in the context of users viewing the file. This could potentially allow attackers to steal sensitive information, hijack user sessions, or perform unauthorized actions on behalf of the victims (GrimTheRipper).