Traefik is an open source HTTP reverse proxy and load balancer. When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates RFC 7230 because in the origin-form the URL should only contain the absolute path and the query. When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control restrictions. This vulnerability has been addressed in versions 2.10.6 and 3.0.0-beta5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

**Summary**

When a request is sent to Traefik with a URL fragment, Traefik automatically URL encodes and forwards the fragment to the backend server. This violates the RFC because in the origin-form the URL should only contain the absolute path and the query.

When this is combined with another frontend proxy like Nginx, it can be used to bypass frontend proxy URI-based access control  
restrictions.

**Details**

For example, we have this Nginx configuration:

    location /admin {
         deny all;
         return 403;
    }
    

This can be bypassed when the attacker is requesting to /#/../admin

This won’t be vulnerable if the backend server follows the RFC and ignores any characters after the fragment.

However, if Nginx is chained with another reverse proxy which automatically URL encode the character # (Traefik) the URL will become

/%23/../admin

And allow the attacker to completely bypass the Access Restriction from the Nginx Front-End proxy.

Here is a diagram to summarize the attack:

**PoC**

This is the POC docker I've set up. It contains Nginx, Traefik proxies and a backend server running PHP.

https://drive.google.com/file/d/1vLnA0g7N7ZKhLNmHmuJ4JJjV\_J2akNMt/view?usp=sharing

**Impact**

This allows the attacker to completely bypass the Access Restriction from Front-End proxy.

CVE-2023-47106: Incorrect processing of fragment in the URL leads to Authorization Bypass

kkFileView v4.3.0 is vulnerable to Incorrect Access Control.

**kkFileView****Introduction**

Document online preview project solution, built using the popular Spring Boot framework for easy setup and deployment. This versatile open source project provides basic support for a wide range of document formats, including:

1.  Supports Office documents such as doc, docx, xls, xlsx, xlsm, ppt, pptx, csv, tsv, , dotm, xlt, xltm, dot, xlam, dotx, xla, ,pages etc.
2.  Supports domestic WPS Office documents such as wps, dps, et , ett,  wpt.
3.  Supports OpenOffice, LibreOffice office documents such as odt, ods, ots, odp, otp, six, ott, fodt and fods.
4.  Supports Visio flowchart files such as vsd, vsdx.
5.  Supports Windows system image files such as wmf, emf.
6.  Supports Photoshop software model files such as psd ,eps.
7.  Supports document formats like pdf, ofd, and rtf.
8.  Supports software model files like xmind.
9.  Support for bpmn workflow files.
10.  Support for eml mail files
11.  Support for epub book documents
12.  Supports 3D model files like obj, 3ds, stl, ply, gltf, glb, off, 3dm, fbx, dae, wrl, 3mf, ifc, brep, step, iges, fcstd, bim, etc.
13.  Supports CAD model files such as dwg, dxf, dwf iges , igs, dwt , dng , ifc , dwfx , stl , cf2 , plt, etc.
14.  Supports all plain text files such as txt, xml (rendering), md (rendering), java, php, py, js, css, etc.
15.  Supports compressed packages such as zip, rar, jar, tar, gzip, 7z, etc.
16.  Supports image previewing (flip, zoom, mirror) of jpg, jpeg, png, gif, bmp, ico, jfif, webp, etc.
17.  Supports image information model files such as tif and tiff.
18.  Supports image format files such as tga.
19.  Supports vector image format files such as svg.
20.  Supports mp3,wav,mp4,flv .
21.  Supports many audio and video format files such as avi, mov, wmv, mkv, 3gp, and rm.
22.  Supports for dcm .
23.  Supports for drawio .

**Features**

*   Build with the popular frame spring boot
*   Easy to build and deploy
*   Basically support online preview of mainstream office documents, such as Doc, docx, Excel, PDF, TXT, zip, rar, pictures, etc
*   REST API
*   Abstract file preview interface so that it is easy to extend more file extensions and develop this project on your own

**Official website and DOCS**

URL：https://kkview.cn

**Live demo**

> Please treat public service kindly, or this would stop at any time.

URL：https://file.kkview.cn

**Contact Us**

> We will answer your questions carefully and solve any problems you encounter while using the project. We also kindly ask that you at least Google or Baidu before asking questions in order to save time and avoid ineffective communication. Let's cherish our lives and stay away from ineffective communication.

**Quick Start**

> Technology stack

*   Spring boot： spring boot Development Reference Guide
*   Freemarker
*   Redisson
*   Jodconverter

> Dependencies

*   Redis(Optional, Unnecessary by default)
*   OpenOffice or LibreOffice(Integrated on Windows, will be installed automatically on Linux, need to be manually installed on Mac OS)

1.  First step：git pull https://github.com/kekingcn/kkFileView.git
    
2.  second step：Run the main method of /server/src/main/java/cn/keking/ServerMain.java. After starting,visit http://localhost:8012/.
    

**Changelog**

> December 14, 2022, version 4.1.0 released:

1.  Updated homepage design by @wsd7747.
2.  Compatible with multipage tif for pdf and jpg conversion and multiple page online preview for tif image preview by @zhangzhen1979.
3.  Optimized docker build, using layered build method by @yl-yue.
4.  Implemented file encryption based on userToken cache by @yl-yue.
5.  Implemented preview for encrypted Word, PPT, and Excel files by @yl-yue.
6.  Upgraded Linux & Docker images to LibreOffice 7.3.
7.  Updated OFD preview component, tif preview component, and added support for PPT watermarking.
8.  Numerous other upgrades, optimizations, and bug fixes. We thank @yl-yue, @wsd7747, @zhangzhen1979, @tomhusky, @shenghuadun, and @kischn.sun for their code contributions.

> July 6, 2021, version 4.0.0 released:

1.  The integration of OpenOffice in the underlying system has been replaced with LibreOffice, resulting in enhanced compatibility and improved preview effects for Office files.
2.  Fixed the directory traversal vulnerability in compressed files.
3.  Fixed the issue where previewing PPT files in PDF mode was ineffective.
4.  Fixed the issue where the front-end display of image preview mode for PPT files was abnormal.
5.  Added a new feature: the file upload function on the homepage can be enabled or disabled in real-time through configuration.
6.  Optimized the logging of Office process shutdown.
7.  Optimized the logic for finding Office components in Windows environment, with built-in LibreOffice taking priority.
8.  Optimized the synchronous execution of starting Office processes.

> June 17, 2021, version 3.6.0 released:

This version includes support for OFD file type versions, and all the important features in this release were contributed by the community. We thank @gaoxingzaq and @zhangxiaoxiao9527 for their code contributions.

1.  Added support for previewing OFD type files. OFD is a domestically produced file format similar to PDF.
2.  Added support for transcoding and previewing video files through ffmpeg. With transcoding enabled, theoretically, all mainstream video file formats such as RM, RMVB, FLV, etc. are supported for preview.
3.  Beautified the preview effect of PPT and PPTX file types, much better looking than the previous version.
4.  Updated the versions of dependencies such as pdfbox, xstream, common-io.

> January 28, 2021:

The final update of the Lunar New Year 2020 has been released, mainly including some UI improvements, bug fixes reported by QQ group users and issues, and most importantly, it is a new version for a good year.

1.  Introduced galimatias to solve the problem of abnormal file download caused by non-standard file names.
2.  Updated UI style of index access demonstration interface.
3.  Updated UI style of markdown file preview.
4.  Updated UI style of XML file preview, adjusted the architecture of text file preview to facilitate expansion.
5.  Updated UI style of simTxT file preview.
6.  Adjusted the UI of continuous preview of multiple images to flip up and down.
7.  Simplified all file download IO operations by adopting the apache-common-io package.
8.  XML file preview supports switching to pure text mode.
9.  Enhanced prompt information when url base64 decoding fails.
10.  Fixed import errors and image preview bug.
11.  Fixed the problem of missing log directory when running the release package.
12.  Fixed the bug of continuous preview of multiple images in the compressed package.
13.  Fixed the problem of no universal matching for file type suffixes in uppercase and lowercase.
14.  Specified the use of the Apache Commons-code implementation for Base64 encoding to fix exceptions occurring in some JDK versions.
15.  Fixed the bug of HTML file preview of text-like files.
16.  Fixed the problem of inability to switch between jpg and pdf when previewing dwg files.
17.  Escaped dangerous characters to prevent reflected xss.
18.  Fixed the problem of duplicate encoding causing the failure of document-to-image preview and standardized the encoding.

> December 27, 2020:

The year-end major update of 2020 includes comprehensive architecture design, complete code refactoring, significant improvement in code quality, and more convenient secondary development. We welcome you to review the source code and contribute to building by raising issues and pull requests.

1.  Adjusted architecture modules, extensively refactored code, and improved code quality by several levels. Please feel free to review.
2.  Enhanced XML file preview effect and added preview of XML document structure.
3.  Added support for markdown file preview, including support for md rendering and switching between source text and preview.
4.  Switched the underlying web server to jetty, resolving the issue: #168
5.  Introduced cpdetector to solve the problem of file encoding recognition.
6.  Adopted double encoding with base64 and urlencode for URLs to completely solve preview problems with bizarre file names.
7.  Added configuration item office.preview.switch.disabled to control the switch of office file preview.
8.  Optimized text file preview logic, transmitting content through Base64 to avoid requesting file content again during preview.
9.  Disabled the image zoom effect in office preview mode to achieve consistent experience with image and pdf preview.
10.  Directly set pdfbox to be compatible with lower version JDK, and there will be no warning prompts even when run in IDEA.
11.  Removed non-essential toolkits like Guava and Hutool to reduce code volume.
12.  Asynchronous loading of Office components speeds up application launch to within 5 seconds.
13.  Reasonable settings of the number of threads in the preview consumption queue.
14.  Fixed the bug where files in compressed packages failed to preview again.
15.  Fixed the bug in image preview.

> May 20th 2020 ：

1.  Support for global watermark and dynamic change of watermark content through parameters
2.  Support for CAD file Preview
3.  Add configuration item base.url, support using nginx reverse proxy and set context-path
4.  All configuration items can be read from environment variables, which is convenient for docker image deployment and large-scale use in cluster
5.  Support the configuration of TrustHost (only the file source from the trust site can be previewed), and protect the preview service from abuse
6.  Support configuration of customize cache cleanup time (cron expression)
7.  All recognizable plain text can be previewed directly without downloading, such as .md .java .py, etc
8.  Support configuration to limit PDF file download after conversion
9.  Optimize Maven packaging configuration to solve the problem of line break in .sh script
10.  Place all CDN dependencies on the front end locally for users without external network connection
11.  Comment Service on home page switched from Sohu ChangYan to gitalk
12.  Fixed preview exceptions that may be caused by special characters in the URL
13.  Fixed the addtask exception of the transformation file queue
14.  Fixed other known issues
15.  Official website build: https://kkview.cn
16.  Official docker image repository build: https://hub.docker.com/r/keking/kkfileview

> June 18th 2019 ：

1.  Support automatic cleaning of cache and preview files
2.  Support http/https stream url file preview
3.  Support FTP url file preview
4.  Add Docker build

> April 8th 2019

1.  Cache and queue implementations abstract, providing JDK and REDIS implementations (REDIS becomes optional dependencies)
2.  Provides zip and tar.gz packages, and provides a one-click startup script

> January 17th 2018

1.  Refined the project directory, abstract file preview interface, Easy to extend more file extensions and depoly this project on your own
2.  Added English documentation (@幻幻Fate，@汝辉) contribution
3.  Support for more image file extensions
4.  Fixed the issue that image carousel in zip file will always start from the first

> January 12th 2018

1.  Support for multiple images preview
2.  Support for images rotation preview in rar/zip

> January 2nd 2018

1.  Fixed gibberish issue when preview a txt document caused by the file encoding problem
2.  Fixed the issue that some module dependencies can not be found
3.  Add a spring boot profile, and support for Multi-environment configuration
4.  Add pdf.js to preview the documents such as doc,etc.,support for generating doc headlines as pdf menu，support for mobile preview

**Sponsor Us**

If this project has been helpful to you, we welcome your sponsorship. Your support is our greatest motivation.！

CVE-2023-48815: GitHub - kekingcn/kkFileView: Universal File Online Preview Project based on Spring-Boot

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has article posting capabilities.

    OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to create an article could perform a storedXSS attack against any other users with the ability to create an article.This can lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5807Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5807.php30.10.2023--Stored XSS (EntryRecord[content]):----------------------------------Endpoint: /backend/tailor/entries/wiki_articlePayload: EntryRecord%5Bcontent%5D="<script>alert(1)</script>"

October CMS 3.4.0 Wiki Article Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has category-creating capabilities.

    OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a category-creating feature that storesdata persistently could create a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5806Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5806.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: POST /backend/tailor/entries/blog_category/createPayload: EntryRecord%5Btitle%5D="</title><script>alert(1)</script>"

October CMS 3.4.0 Category Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has blog-creating capabilities.

    OctoberCMS v3.4.0 (Blog) Stored Cross-Site Scripting VulnerabilitiesVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to a blog-creating feature that stores datapersistently could perform a stored XSS attack against any other usersvisiting the blog page. This can lead to execute arbitrary HTML/JS codein a user's browser session in context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5805Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5805.php30.10.2023--Stored XSS (GlobalRecord[blog_name]):-------------------------------------Endpoint: POST /backend/tailor/globals/blog_configPayload: GlobalRecord%5Bblog_name%5D="</title><script>alert(1)</script>"

October CMS 3.4.0 Blog Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability when a user has author posting capabilities.

    OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to be an author feature could perform a storedXSS attack against any other users visiting the posts by the author. Thiscan lead to execute arbitrary HTML/JS code in a user's browser sessionin context of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5804Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5804.php30.10.2023--Stored XSS (EntryRecord[title]):--------------------------------Endpoint: /backend/tailor/entries/blog_authorPayload: EntryRecord%5Btitle%5D ="</title><script>alert(1)</script>"

October CMS 3.4.0 Author Cross Site Scripting

October CMS version 3.4.0 suffers from a persistent cross site scripting vulnerability where a user has the ability to edit the landing/about page.

    OctoberCMS v3.4.0 (About) Stored Cross-Site Scripting VulnerabilityVendor: October CMSProduct web page: https://www.octobercms.comAffected version: 3.4.0Summary: OctoberCMS is a self-hosted content management system (CMS)based on the PHP programming language and Laravel web application framework.It supports MySQL, SQLite and PostgreSQL for the database back end anduses a flat file database for the front end structure. The October CMScovers a range of capabilities such as users, permissions, themes, andplugins, and is seen as a simpler alternative to WordPress.Desc: OctoberCMS suffers from stored cross-site scripting vulnerabilitywhen a user with the ability to edit the landing/about page. This canlead to execute arbitrary HTML/JS code in a user's browser session incontext of an affected site.Tested on: macOS Monterey 12.6.3           Docker 4.12.0 (85629)           PHP/8.1.6Vulnerability discovered by Nazli Soysal Kuran                            @zeroscienceAdvisory ID: ZSL-2023-5803Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5803.php30.10.2023--Stored XSS (EntryRecord[blocks][1][content]):---------------------------------------------Endpoint: POST /backend/tailor/entries/landing_pagePayload: EntryRecord%5Bblocks%5D%5B1%5D%5Bcontent%5D="<script>alert(1)</script>"

October CMS 3.4.0 About Cross Site Scripting

Forgejo before 1.20.5-1 allows remote attackers to test for the existence of private user accounts by appending .rss (or another extension) to a URL.

Forgejo v1.20.5-1 was released 25 November 2023.

This release contains _critical security fixes_ related to permissions enforcement of API endpoints.

This release also contains bug fixes, as detailed in the release notes.

**Recommended Action**

We _strongly recommend_ that all Forgejo installations are upgraded to the latest version as soon as possible.

**API and web endpoint vulnerable to manually crafted identifiers**

Some API endpoints, such as adding a reaction to a comment, rely on an identifier unique to an object (a comment in this example). There are similar cases for web endpoints which are used by the Forgejo web interface.

The permissions required for the user performing the action on the repository are properly enforced. But a check was missing to ensure that the object (a comment in the example) also belongs to the repository the permissions are checked against. Without this check it is possible both to perform destructive actions and to access information in repositories unrelated to the request, including private ones.

API and web endpoints have been analysed, and those that were missing such a verification can be exploited by a malicious actor to:

*   delete releases and tags
*   delete and modify issues or pull requests comments
*   reveal the content of issues or pull requests comments from private repositories
*   perform other non-destructive actions such as creating issues, moving pinned issues, or obtaining deploy public keys

The vulnerable endpoints were fixed and tests written to verify the fix is effective.

**docker login and 2FA**

When using docker login to authenticate against a Forgejo instance using basic authentication, there needs to be an additional verification if 2FA is activated for the user. That verification was missing for the API endpoint used by docker login, thus bypassing 2FA.

**Responsible disclosure to Gitea**

On 25 October 2023 the Forgejo security team identified that multiple API and web endpoints were not protected against manually crafted identifiers, and the Gitea security team was notified. A 30-day embargo was requested, after which a patch to the v1.20 point release could be published. Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged, but after their last email on 31 October 2023 the Gitea security team stopped responding. Given the severity of the vulnerability, the Forgejo security team asked again for feedback on 16 November 2023, but did not get any reply. Having exhausted all options for cooperation, the Forgejo security team completed the security fix on its own. The resulting fix which is published in this release was sent to the Gitea security team encrypted in its final version on 24 November 2023. At the time of publication, there was still no response from the Gitea security team.

**Responsible disclosure to Gogs**

The Gogs developer was notified of the vulnerability on 25 October 2023. There is no encrypted channel and only a terse but unambiguous message was sent. There has been no response.

**Forgejo will give advance warning of security releases**

Similar to what is done when a Go release contains a security fix, Forgejo will now publish advance warning of security releases. They will not reveal the details of the vulnerability but will allow Forgejo admins to plan ahead and better secure their instance. Anyone can watch to the dedicated tracker or subscribe to the RSS feed.

**Gogs and Gitea upgrades to Forgejo**

Gitea admins are reminded that Forgejo is a 100% compatible drop-in replacement for Gitea. It is enough to replace the Gitea binary or the container image with Forgejo and restart. No configuration modification is necessary. They are encouraged to choose that option to get this security fix as soon as possible.

In the absence of a security fix for Gogs, it is also possible to try and upgrade Gogs to Forgejo. Note however that such an upgrade will require manual intervention and configuration changes because the upgrade path has not been tested.

**Contribute to Forgejo**

If you have any feedback or suggestions for Forgejo, we’d love to hear from you! Open an issue on our issue tracker for feature requests or bug reports. You can also find us on the Fediverse, or drop by our Matrix space (main chat room) to say hi!

CVE-2023-49948: Forgejo Security Release 1.20.5-1

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to a blog-creating feature that stores data persistently could perform a stored XSS attack against any other users visiting the blog page. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: OctoberCMS v3.4.0 (Blog) Stored Cross-Site Scripting Vulnerabilities  
Advisory ID: ZSL-2023-5805  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 03.12.2023

**Summary**

OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

**Description**

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to a blog-creating feature that stores data persistently could perform a stored XSS attack against any other users visiting the blog page. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

October CMS - https://www.octobercms.com

**Affected Version**

3.4.0

**Tested On**

macOS Monterey 12.6.3  
Docker 4.12.0 (85629)  
PHP/8.1.6

**Vendor Status**

\[30.10.2023\] Vulnerability discovered.  
\[31.10.2023\] Contact with the vendor.  
\[06.11.2023\] Vendor asked for the details.  
\[07.11.2023\] Sent details to the vendor.  
\[11.11.2023\] Vendor asked for confirmation if the findings were within their scope.  
\[14.11.2023\] Confirmed the issues are within the scope.  
\[20.11.2023\] Vendor asked for further information on how exploits affect a public-facing website.  
\[22.11.2023\] Explained about impact of the findings in detail.  
\[29.11.2023\] Vendor didn't consider the findings as vulnerabilities.  
\[03.12.2023\] Public security advisory released.

**PoC**

octobercms\_xss(blog).txt

**Credits**

Vulnerability discovered by Nazli Soysal Kuran - <nazli@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.12.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

OctoberCMS v3.4.0 (Blog) Stored Cross-Site Scripting Vulnerabilities

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Title: OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability  
Advisory ID: ZSL-2023-5804  
Type: Local/Remote  
Impact: Cross-Site Scripting  
Risk: (3/5)  
Release Date: 03.12.2023

**Summary**

OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

**Description**

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

**Vendor**

October CMS - https://www.octobercms.com

**Affected Version**

3.4.0

**Tested On**

macOS Monterey 12.6.3  
Docker 4.12.0 (85629)  
PHP/8.1.6

**Vendor Status**

\[30.10.2023\] Vulnerability discovered.  
\[31.10.2023\] Contact with the vendor.  
\[06.11.2023\] Vendor asked for the details.  
\[07.11.2023\] Sent details to the vendor.  
\[11.11.2023\] Vendor asked for confirmation if the findings were within their scope.  
\[14.11.2023\] Confirmed the issues are within the scope.  
\[20.11.2023\] Vendor asked for further information on how exploits affect a public-facing website.  
\[22.11.2023\] Explained about impact of the findings in detail.  
\[29.11.2023\] Vendor didn't consider the findings as vulnerabilities.  
\[03.12.2023\] Public security advisory released.

**PoC**

octobercms\_xss(author).txt

**Credits**

Vulnerability discovered by Nazli Soysal Kuran - <nazli@zeroscience.mk\>

**References**

N/A

**Changelog**

\[03.12.2023\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#docker