cbcvebase.
CVE-2020-11083
published 2020-07-14

CVE-2020-11083: In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS…

PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
1.15%
62.8th percentile
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
octoberbackend>= 1.0.319 < 1.0.4661.0.466
october_cmsoctober
octobercmsoctober>= 1.0.319 < 1.0.4661.0.466

CVSS provenance

nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.