CVE-2024-51991 is a vulnerability in OctoberCMS, a popular content management system and web platform, affecting versions prior to 3.7.5. The vulnerability relates to the improper handling of file uploads in the media manager component when the configuration option 'media.clean_vectors' is enabled. This configuration is intended to sanitize SVG files to prevent malicious content from being uploaded. However, the vulnerability allows an authenticated administrator user to bypass this protection by initially uploading a file with a permitted extension such as .jpg or .png, which passes the sanitization checks, and then subsequently renaming or modifying the file extension to .svg. This bypass circumvents the sanitization process, potentially allowing the upload of malicious SVG files that could contain harmful scripts or payloads. The attack scenario assumes that the attacker is a trusted user with administrative privileges and that another trusted user interacts with the malicious SVG file, as exploitation requires user interaction. The vulnerability does not allow unauthenticated or remote exploitation and requires administrative access to the backend. The issue has been addressed and patched in OctoberCMS version 3.7.5. The CVSS 4.0 score is 1.1, indicating a low severity, reflecting the limited scope and complexity of exploitation, as well as the requirement for high privileges and user interaction. No known exploits are currently reported in the wild.

For European organizations using OctoberCMS versions prior to 3.7.5 with the 'media.clean_vectors' option enabled, this vulnerability poses a risk primarily in environments where multiple administrators or trusted users manage content collaboratively. An attacker with administrative access could upload malicious SVG files disguised initially as safe image formats, potentially leading to cross-site scripting (XSS) or other client-side attacks when another administrator or user interacts with the file. This could result in unauthorized actions performed in the context of the victim's session, data leakage, or defacement of web content. However, the impact is limited by the need for administrative credentials and user interaction, reducing the likelihood of widespread exploitation. Organizations with strict access controls and monitoring of administrative activities will be less affected. Nonetheless, the vulnerability could be leveraged in targeted attacks or insider threat scenarios, especially in sectors with high-value web assets or sensitive data managed via OctoberCMS. The low CVSS score aligns with the limited impact and exploitation complexity, but organizations should still prioritize patching to maintain a secure environment.

1. Upgrade OctoberCMS to version 3.7.5 or later, where this vulnerability is patched. This is the most effective mitigation. 2. If immediate upgrade is not possible, disable the 'media.clean_vectors' configuration temporarily to prevent reliance on the vulnerable sanitization mechanism, while understanding this may reduce SVG upload security. 3. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 4. Implement monitoring and alerting on file upload activities, especially for changes in file extensions or suspicious file renaming operations within the media manager. 5. Conduct regular audits of uploaded media files to detect any unauthorized or suspicious SVG files. 6. Educate administrators about the risks of interacting with untrusted SVG files and encourage cautious handling of media uploads. 7. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS attacks originating from malicious SVG files. These steps go beyond generic advice by focusing on configuration management, access control, monitoring, and user awareness tailored to this specific vulnerability scenario.