Skip to content

Potential self-XSS when pasting content from malicious websites

Low
LukeTowers published GHSA-3pc2-fm7p-q2vg Jul 2, 2020

Package

composer october/backend (Composer)

Affected versions

>= 1.0.319, < 1.0.467

Patched versions

1.0.467

Description

Impact

Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.

Patches

Issue has been patched in Build 467 (v1.0.467).

Workarounds

Apply b384954 to your installation manually if unable to upgrade to Build 467.

References

For more information

If you have any questions or comments about this advisory:

Threat Assessment

Assessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious websites.

Acknowledgements

Thanks to Michał Bentkowski of Securitum for finding the original issue in Froala and @tomaszstrojny for reporting the issue to the October CMS team.

Severity

Low

CVE ID

CVE-2020-4061

Weaknesses

No CWEs

Credits