Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ydng4LXAzeHAtZmozcM4AA3a4
October CMS stored XSS by authenticated backend user with improper configuration
Impact
A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported.
SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the svg extension from the list of supported file types.
Patches
The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the config/media.php file.
'clean_vectors' => true,
Workarounds
If you cannot upgrade for this patch, follow the pervious advice and remove svg from the supported file types.
References
Credits to:
- Faris Krivic
- Okan Kurtulus
- Aldin Visnjic
- Bug Shankar
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ydng4LXAzeHAtZmozcM4AA3a4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Percentage: 0.00053
EPSS Percentile: 0.23513
Identifiers: GHSA-rvx8-p3xp-fj3p, CVE-2023-44383
References:
- https://github.com/octobercms/october/security/advisories/GHSA-rvx8-p3xp-fj3p
- https://nvd.nist.gov/vuln/detail/CVE-2023-44383
- https://github.com/octobercms/october/commit/b7eed0bbf54d07ff310fcdc7037a8e8bf1f5043b
- https://github.com/advisories/GHSA-rvx8-p3xp-fj3p
Blast Radius: 13.7
Affected Packages
packagist:october/system
Dependent packages: 37Dependent repositories: 340
Downloads: 1,015,909 total
Affected Version Ranges: >= 3.0.0, < 3.5.2
Fixed in: 3.5.2
All affected versions:
All unaffected versions: 1.0.319, 1.0.320, 1.0.321, 1.0.322, 1.0.323, 1.0.324, 1.0.325, 1.0.326, 1.0.327, 1.0.328, 1.0.329, 1.0.330, 1.0.331, 1.0.332, 1.0.333, 1.0.334, 1.0.335, 1.0.336, 1.0.337, 1.0.338, 1.0.339, 1.0.340, 1.0.341, 1.0.342, 1.0.343, 1.0.344, 1.0.345, 1.0.346, 1.0.347, 1.0.348, 1.0.349, 1.0.350, 1.0.351, 1.0.352, 1.0.353, 1.0.354, 1.0.355, 1.0.356, 1.0.357, 1.0.358, 1.0.359, 1.0.360, 1.0.361, 1.0.362, 1.0.363, 1.0.364, 1.0.365, 1.0.366, 1.0.367, 1.0.368, 1.0.369, 1.0.370, 1.0.371, 1.0.372, 1.0.373, 1.0.374, 1.0.375, 1.0.376, 1.0.377, 1.0.378, 1.0.379, 1.0.380, 1.0.381, 1.0.382, 1.0.383, 1.0.384, 1.0.385, 1.0.386, 1.0.387, 1.0.388, 1.0.389, 1.0.390, 1.0.391, 1.0.392, 1.0.393, 1.0.394, 1.0.395, 1.0.396, 1.0.397, 1.0.398, 1.0.399, 1.0.400, 1.0.401, 1.0.402, 1.0.403, 1.0.404, 1.0.405, 1.0.406, 1.0.407, 1.0.408, 1.0.409, 1.0.410, 1.0.411, 1.0.412, 1.0.413, 1.0.414, 1.0.415, 1.0.416, 1.0.417, 1.0.418, 1.0.419, 1.0.420, 1.0.421, 1.0.422, 1.0.423, 1.0.424, 1.0.425, 1.0.426, 1.0.427, 1.0.428, 1.0.429, 1.0.430, 1.0.431, 1.0.432, 1.0.433, 1.0.434, 1.0.435, 1.0.436, 1.0.437, 1.0.438, 1.0.439, 1.0.440, 1.0.441, 1.0.442, 1.0.443, 1.0.444, 1.0.445, 1.0.446, 1.0.447, 1.0.448, 1.0.449, 1.0.450, 1.0.451, 1.0.452, 1.0.453, 1.0.454, 1.0.455, 1.0.456, 1.0.457, 1.0.458, 1.0.459, 1.0.460, 1.0.461, 1.0.462, 1.0.463, 1.0.464, 1.0.465, 1.0.466, 1.0.467, 1.0.468, 1.0.469, 1.0.470, 1.0.471, 1.0.472, 1.0.473, 1.0.474, 1.0.475, 1.0.476, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.9, 1.1.10, 1.1.11, 1.1.12