CVE-2024-51991: 
PHP vulnerability analysis and mitigation

CVE-2024-51991 affects October CMS, a Content Management System (CMS) and web platform, in versions prior to 3.7.5. The vulnerability was discovered and disclosed on May 3, 2025, specifically impacting authenticated administrators on sites with the media.clean_vectors configuration enabled. This configuration is designed to sanitize SVG files uploaded through the media manager (GitHub Advisory).

The vulnerability allows authenticated users to bypass SVG file sanitization protection in the media manager. The bypass mechanism involves uploading a file with a permitted extension (such as .jpg or .png) and subsequently modifying it to the .svg extension. The vulnerability has been assigned a CVSS v4.0 score of 1.1 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U (NVD).

The impact of this vulnerability is considered low as it requires specific conditions to be exploited. It can only be executed when a trusted user attacks another trusted user, requiring both administrative access and user interaction. The vulnerability cannot be actively exploited without access to the administration panel and interaction from the targeted user (GitHub Advisory, Wiz).

The vulnerability has been patched in October CMS version 3.7.5. Users are strongly advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).