CVE-2020-4061
published 2020-07-02CVE-2020-4061: In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a…
PriorityP425medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.82%
52.7th percentile
In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | backend | >= 1.0.319 < 1.0.467 | 1.0.467 |
| october_cms | october | — | — |
| octobercms | october | >= 1.0.319 < 1.0.467 | 1.0.467 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting in October
osv·2020-07-02
CVE-2020-4061 [LOW] Cross-site Scripting in October
Cross-site Scripting in October
### Impact
Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.
### Patches
Issue has been patched in Build 467 (v1.0.467).
### Workarounds
Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467.
### References
- https://research.securitum.com/the-curious-case-of-copy-paste/
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
### Threat Assessment
Assessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious web
GHSA
Cross-site Scripting in October
ghsa·2020-07-02
CVE-2020-4061 [LOW] CWE-79 Cross-site Scripting in October
Cross-site Scripting in October
### Impact
Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.
### Patches
Issue has been patched in Build 467 (v1.0.467).
### Workarounds
Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467.
### References
- https://research.securitum.com/the-curious-case-of-copy-paste/
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
### Threat Assessment
Assessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious web
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5https://github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vghttps://research.securitum.com/the-curious-case-of-copy-paste/https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5https://github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vghttps://research.securitum.com/the-curious-case-of-copy-paste/
2020-07-02
Published