QwikSec

Security Database

CVE

CWE

Training

CVE-2020-11083

Published: Jul 14, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

3.5

LOW

Description

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.

Vendor	Product	Versions
October CMS	October	affected `>= 1.0.319, < 1.0.466`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv

x_refsource_CONFIRM

https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746

x_refsource_MISC

https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94

x_refsource_MISC

http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html

x_refsource_MISC

20200804 October CMS <= Build 465 Multiple Vulnerabilities - Arbitrary File Read

mailing-list

x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.