Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc0cGotN3A2OC0zdmd2
Stored XSS in October
Impact
A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.
Patches
Issue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the backend.allow_unsafe_markdown permission.
Workarounds
Apply https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746 & https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94 to your installation manually if unable to upgrade to Build 466 or v1.4.1 of RainLab.Blog (if using that plugin).
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Threat assessment:
Permalink: https://github.com/advisories/GHSA-w4pj-7p68-3vgvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc0cGotN3A2OC0zdmd2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: about 1 year ago
CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-w4pj-7p68-3vgv, CVE-2020-11083
References:
- https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv
- https://nvd.nist.gov/vuln/detail/CVE-2020-11083
- https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746
- https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94
- http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
- http://seclists.org/fulldisclosure/2020/Aug/2
- https://github.com/advisories/GHSA-w4pj-7p68-3vgv
Blast Radius: 8.8
Affected Packages
packagist:october/backend
Dependent packages: 12Dependent repositories: 317
Downloads: 996,055 total
Affected Version Ranges: >= 1.0.319, < 1.0.466
Fixed in: 1.0.466
All affected versions: 1.0.319, 1.0.320, 1.0.321, 1.0.322, 1.0.323, 1.0.324, 1.0.325, 1.0.326, 1.0.327, 1.0.328, 1.0.329, 1.0.330, 1.0.331, 1.0.332, 1.0.333, 1.0.334, 1.0.335, 1.0.336, 1.0.337, 1.0.338, 1.0.339, 1.0.340, 1.0.341, 1.0.342, 1.0.343, 1.0.344, 1.0.345, 1.0.346, 1.0.347, 1.0.348, 1.0.349, 1.0.350, 1.0.351, 1.0.352, 1.0.353, 1.0.354, 1.0.355, 1.0.356, 1.0.357, 1.0.358, 1.0.359, 1.0.360, 1.0.361, 1.0.362, 1.0.363, 1.0.364, 1.0.365, 1.0.366, 1.0.367, 1.0.368, 1.0.369, 1.0.370, 1.0.371, 1.0.372, 1.0.373, 1.0.374, 1.0.375, 1.0.376, 1.0.377, 1.0.378, 1.0.379, 1.0.380, 1.0.381, 1.0.382, 1.0.383, 1.0.384, 1.0.385, 1.0.386, 1.0.387, 1.0.388, 1.0.389, 1.0.390, 1.0.391, 1.0.392, 1.0.393, 1.0.394, 1.0.395, 1.0.396, 1.0.397, 1.0.398, 1.0.399, 1.0.400, 1.0.401, 1.0.402, 1.0.403, 1.0.404, 1.0.405, 1.0.406, 1.0.407, 1.0.408, 1.0.409, 1.0.410, 1.0.411, 1.0.412, 1.0.413, 1.0.414, 1.0.415, 1.0.416, 1.0.417, 1.0.418, 1.0.419, 1.0.420, 1.0.421, 1.0.422, 1.0.423, 1.0.424, 1.0.425, 1.0.426, 1.0.427, 1.0.428, 1.0.429, 1.0.430, 1.0.431, 1.0.432, 1.0.433, 1.0.434, 1.0.435, 1.0.436, 1.0.437, 1.0.438, 1.0.439, 1.0.440, 1.0.441, 1.0.442, 1.0.443, 1.0.444, 1.0.445, 1.0.446, 1.0.447, 1.0.448, 1.0.449, 1.0.450, 1.0.451, 1.0.452, 1.0.453, 1.0.454, 1.0.455, 1.0.456, 1.0.457, 1.0.458, 1.0.459, 1.0.460, 1.0.461, 1.0.462, 1.0.463, 1.0.464, 1.0.465
All unaffected versions: 1.0.466, 1.0.467, 1.0.468, 1.0.469, 1.0.470, 1.0.471, 1.0.472, 1.0.473, 1.0.474, 1.0.475, 1.0.476, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.9, 1.1.10, 1.1.11, 1.1.12