OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability

Title: OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2023-5804
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 03.12.2023

Summary

OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

Description

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site.

Vendor

October CMS - https://www.octobercms.com

Affected Version

3.4.0

Tested On

macOS Monterey 12.6.3
Docker 4.12.0 (85629)
PHP/8.1.6

Vendor Status

[30.10.2023] Vulnerability discovered.
[31.10.2023] Contact with the vendor.
[06.11.2023] Vendor asked for the details.
[07.11.2023] Sent details to the vendor.
[11.11.2023] Vendor asked for confirmation if the findings were within their scope.
[14.11.2023] Confirmed the issues are within the scope.
[20.11.2023] Vendor asked for further information on how exploits affect a public-facing website.
[22.11.2023] Explained about impact of the findings in detail.
[29.11.2023] Vendor didn’t consider the findings as vulnerabilities.
[03.12.2023] Public security advisory released.

PoC

octobercms_xss(author).txt

Credits

Vulnerability discovered by Nazli Soysal Kuran - <[email protected]>

References

N/A

Changelog

[03.12.2023] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]