October CMS 3.4.0 Wiki Article Cross Site Scripting

OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to create an article could perform a storedXSS attack against any other users with the ability to create an article.This can lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5807Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5807.php30.10.2023--Stored XSS (EntryRecord[content]):----------------------------------Endpoint: /backend/tailor/entries/wiki_articlePayload: EntryRecord%5Bcontent%5D="<script>alert(1)</script>"