Stored XSS in October
CVE-2020-11083

3.5LOW

Key Information:

Vendor

October Cms

Status
October
Vendor
CVE Published:
14 July 2020

What is CVE-2020-11083?

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.

Affected Version(s)

October >= 1.0.319, < 1.0.466

References

https://github.com/octobercms/october/security/advisories...
x_refsource_CONFIRM
https://github.com/octobercms/october/commit/9ecfb4867baa...
x_refsource_MISC
https://github.com/rainlab/blog-plugin/commit/6ae19a6e16e...
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-11083 : Stored XSS in October