Cross-site Scripting in October

2020-07-0216:55:11

Google

osv.dev

0.001 Low

EPSS

Percentile

26.5%

JSON

Impact

Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.

Patches

Issue has been patched in Build 467 (v1.0.467).

Workarounds

Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467.

References

https://research.securitum.com/the-curious-case-of-copy-paste/

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Threat Assessment

Assessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious websites.

Acknowledgements

Thanks to Michał Bentkowski of Securitum for finding the original issue in Froala and @tomaszstrojny for reporting the issue to the October CMS team.

CPENameOperatorVersion
october/backendeq1.0.450
october/backendeq1.0.440
october/backendeq1.0.353
october/backendeq1.0.423
october/backendeq1.0.428
october/backendeq1.0.339
october/backendeq1.0.327
october/backendeq1.0.388
october/backendeq1.0.453
october/backendeq1.0.425

Name	Operator	Version
october/backend	eq	1.0.450
october/backend	eq	1.0.440
october/backend	eq	1.0.353
october/backend	eq	1.0.423
october/backend	eq	1.0.428
october/backend	eq	1.0.339
october/backend	eq	1.0.327
october/backend	eq	1.0.388
october/backend	eq	1.0.453
october/backend	eq	1.0.425