Description: Cross-Site Scripting (XSS) vulnerabilitiy in installation of October v.3.4.16 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.
Attack Vectors: A vulnerability in the installation sanitation in the dbhost field allows JavaScript code to be injected.
During the installation process we enter the XSS payload in dbhost field and when we click on next, we will obtain the XSS pop-up
'"><svg/onload=prompt('dbhost')>
In the following image you can see the embedded code that executes the payload in the instalaltion process.