CVE-2020-4061 — Cross-site Scripting in October

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 45.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October Backend October CMS October

Timeline

PublishedJul 2

Description

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶Packagistoctober/backend1.0.319 — 1.0.467

▶NVDoctobercms/october1.0.319 — 1.0.467

▶CVEListV5october_cms/october>= 1.0.319, < 1.0.467

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cross-site Scripting in October↗2020-07-02

▶

GHSA

Cross-site Scripting in October↗2020-07-02

▶