October Backend vulnerabilities

CVE-2021-21265 [LOW] CWE-644 October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers ### Impact When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on

CVE-2020-15248 [LOW] CWE-269 Privilege escalation by backend users assigned to the default "Publisher" system role Privilege escalation by backend users assigned to the default "Publisher" system role ### Impact Backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. ### Patches Issue has been patch

CVE-2020-15249 [LOW] CWE-79 Stored XSS by authenticated backend user with access to upload files Stored XSS by authenticated backend user with access to upload files ### Impact Backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /stora

CVE-2020-11083 [LOW] CWE-79 Stored XSS in October Stored XSS in October ### Impact A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. ### Patches Issue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the `backend.allow_unsafe_markdown` per

CVE-2020-4061 [LOW] CWE-79 Cross-site Scripting in October Cross-site Scripting in October ### Impact Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. ### Patches Issue has been patched in Build 467 (v1.0.467). ### Workarounds Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467. ### References - https://research.securit

CVE-2020-5298 [MEDIUM] CWE-79 Reflected XSS when importing CSV in OctoberCMS Reflected XSS when importing CSV in OctoberCMS ### Impact A user with the ability to use the import functionality of the `ImportExportController` behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question ### Patches Issue has been patched in Build 466 (v1.0.466). ### Workarounds Apply https://github.com/octobercms

CVE-2020-5299 [MEDIUM] CWE-77 Potential CSV Injection vector in OctoberCMS Potential CSV Injection vector in OctoberCMS ### Impact Any users with the ability to modify any data that could eventually be exported as a CSV file from the `ImportExportController` could potentially introduce a CSV injection into the data to cause the generated CSV export file to be malicious. This requires attackers to achieve the following before a successful attack can be completed: 1. Have found a vulnerability i