CVE-2020-11083
published 2020-07-14CVE-2020-11083: In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS…
PriorityP422medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
1.15%
62.8th percentile
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | backend | >= 1.0.319 < 1.0.466 | 1.0.466 |
| october_cms | october | — | — |
| octobercms | october | >= 1.0.319 < 1.0.466 | 1.0.466 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Stored XSS in October
ghsa·2020-08-05
CVE-2020-11083 [LOW] CWE-79 Stored XSS in October
Stored XSS in October
### Impact
A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.
### Patches
Issue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the `backend.allow_unsafe_markdown` permission.
### Workarounds
Apply https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746 & https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94 to your installation manually if unable to upgrade to Build 466 or v1.4.1 of RainLab.Blog (if using that plugin).
### References
Reported by [
OSV
Stored XSS in October
osv·2020-08-05
CVE-2020-11083 [LOW] Stored XSS in October
Stored XSS in October
### Impact
A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.
### Patches
Issue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the `backend.allow_unsafe_markdown` permission.
### Workarounds
Apply https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746 & https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94 to your installation manually if unable to upgrade to Build 466 or v1.4.1 of RainLab.Blog (if using that plugin).
### References
Reported by [
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.htmlhttp://seclists.org/fulldisclosure/2020/Aug/2https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgvhttps://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.htmlhttp://seclists.org/fulldisclosure/2020/Aug/2https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgvhttps://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94
2020-07-14
Published