CVE-2024-45962 is a vulnerability identified in October CMS version 3.6.30 that allows an authenticated administrator to upload a PDF file containing embedded malicious JavaScript code. This malicious script can be executed when the PDF is accessed through the website, potentially leading to a Cross-Site Scripting (XSS) attack or arbitrary code execution within the victim’s browser context. The vulnerability stems from insufficient sanitization or validation of uploaded PDF content, allowing JavaScript embedded in PDFs to run unchecked. The attack requires an authenticated admin account to upload the malicious file, and user interaction is necessary to trigger the payload by viewing the PDF on the site. The vulnerability is classified under CWE-79, which relates to improper neutralization of input leading to XSS. Although the CVSS score is 4.7 (medium), the scope is significant because the vulnerability can lead to session hijacking, defacement, or further exploitation via the victim’s browser. No public exploits or patches are currently available, indicating this is a newly disclosed issue. The vulnerability affects the confidentiality and integrity of user sessions and data but does not directly impact availability. The attack vector is network-based, with low attack complexity but requiring privileges and user interaction. The vulnerability’s scope is limited to installations of October CMS that allow admin PDF uploads and serve these files to users.

The primary impact of CVE-2024-45962 is the potential compromise of user sessions and data confidentiality through Cross-Site Scripting attacks. If exploited, attackers could execute arbitrary JavaScript in the context of users visiting the affected site, potentially stealing cookies, session tokens, or performing actions on behalf of users. This could lead to unauthorized access, data leakage, or defacement of the website. Since exploitation requires an authenticated admin to upload the malicious PDF, insider threats or compromised admin accounts pose the greatest risk. The vulnerability could also be leveraged in targeted attacks against organizations relying on October CMS for content management, especially those with sensitive user data or critical business functions. The lack of a patch increases exposure time, and the ability to execute arbitrary code via JavaScript could facilitate further attacks such as phishing or malware delivery. However, the requirement for user interaction and admin privileges limits the widespread automated exploitation potential. Organizations worldwide using October CMS may face reputational damage, regulatory penalties, and operational disruptions if this vulnerability is exploited.

Organizations should immediately review and restrict the ability of admin users to upload PDF files or any files containing executable content. Implement strict file type validation and content sanitization on all uploads, ensuring that PDFs cannot contain active JavaScript or other executable code. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. Monitor admin account activities for unusual upload behavior and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of compromised admin credentials. Until a patch is released, consider disabling PDF uploads or restricting access to trusted administrators only. Regularly audit and update October CMS installations and subscribe to vendor advisories for timely patching. Additionally, educate users and administrators about the risks of opening untrusted files and implement web application firewalls (WAFs) to detect and block suspicious payloads. Finally, conduct penetration testing focused on file upload functionalities to identify similar weaknesses.