Reflected XSS when importing CSV in OctoberCMS

Impact

A user with the ability to use the import functionality of the ImportExportController behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question

Patches

Issue has been patched in Build 466 (v1.0.466).

Workarounds

Apply https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.

References

Reported by Sivanesh Ashok

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

Threat assessment:

<img width=“1100” alt=“Screen Shot 2020-03-31 at 2 01 52 PM” src=“https://user-images.githubusercontent.com/7253840/78070158-8f7ef580-7358-11ea-950c-226533f6a0a3.png”>