What is the severity of CVE-2024-51991?

The severity of CVE-2024-51991 is considered moderate due to the risk posed to authenticated administrators with the media.clean_vectors configuration enabled.

How do I fix CVE-2024-51991?

To fix CVE-2024-51991, update your October CMS to version 3.7.5 or later.

Who is affected by CVE-2024-51991?

CVE-2024-51991 affects authenticated administrators using October CMS with the media.clean_vectors configuration enabled.

What kind of attacks might exploit CVE-2024-51991?

CVE-2024-51991 can be exploited by authenticated users to upload malicious SVG files that bypass sanitization.

Is the media.clean_vectors configuration safe to use with CVE-2024-51991?

The media.clean_vectors configuration is not safe to use in versions vulnerable to CVE-2024-51991 without the necessary updates.

Vulnerability/
CVE-2024-51991

low

1.1

CWE

434

5/5/2025

CVE-2024-51991: October CMS Allows Unprotected SVG Rename in Media Manager

First published: Mon May 05 2025(Updated: )

### Impact This advisory affects authenticated administrators with sites that have the `media.clean_vectors` configuration enabled. This configuration will sanitize SVG files uploaded using the media manager. This vulnerability allows an authenticated user to bypass this protection by uploading it with a permitted extension (for example, .jpg or .png) and later modifying it to the .svg extension. This vulnerability assumes a trusted user will attack another trusted user and cannot be actively exploited without access to the administration panel and interaction from the other user. ### Patches This issue has been patched in v3.7.5. ### References Credits to: - [Cyber-Wo0dy](https://github.com/Cyber-Wo0dy) ### For more information If you have any questions or comments about this advisory: * Email us at [hello@octobercms.com](mailto:hello@octobercms.com)

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
composer/october/october	<3.7.5	3.7.5
composer/october/system	<3.7.5	3.7.5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-51991?
The severity of CVE-2024-51991 is considered moderate due to the risk posed to authenticated administrators with the media.clean_vectors configuration enabled.
How do I fix CVE-2024-51991?
To fix CVE-2024-51991, update your October CMS to version 3.7.5 or later.
Who is affected by CVE-2024-51991?
CVE-2024-51991 affects authenticated administrators using October CMS with the media.clean_vectors configuration enabled.
What kind of attacks might exploit CVE-2024-51991?
CVE-2024-51991 can be exploited by authenticated users to upload malicious SVG files that bypass sanitization.
Is the media.clean_vectors configuration safe to use with CVE-2024-51991?
The media.clean_vectors configuration is not safe to use in versions vulnerable to CVE-2024-51991 without the necessary updates.

agent/weakness
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/title
agent/type
agent/description
agent/severity
agent/author
agent/source
agent/event
collector/nvd-api
source/NVD
collector/github-advisory-latest
source/GitHub
alias/GHSA-96hh-8hx5-cpw7
alias/CVE-2024-51991
agent/software-canonical-lookup
agent/last-modified-date
agent/references
agent/tags
collector/nvd-cve
package-manager/composer

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.