Scan free
LOWCVE-2020-4061CVSS 3.7

CVE-2020-4061: XSS in October CMS Backend

Platform

php

Component

october/backend

Fixed in

1.0.320

1.0.467

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2020-4061 describes a Cross-Site Scripting (XSS) vulnerability discovered in the October CMS backend. This vulnerability allows an attacker to inject malicious scripts by pasting content from compromised websites into the Froala rich editor. The vulnerability impacts versions of October CMS up to and including v1.0.466. A patch is available in Build 467 (v1.0.467).

Impact and Attack Scenarios

The primary impact of CVE-2020-4061 is the potential for a self-XSS attack. An attacker could craft a malicious website containing JavaScript code designed to exploit this vulnerability. When a user with access to the October CMS backend pastes content from this malicious site into the Froala rich editor, the injected script will be executed within the user's browser context. This could lead to session hijacking, unauthorized access to sensitive data, or defacement of the website. The blast radius is limited to users with backend access, but the consequences of a successful attack can be significant.

Exploitation Context

This vulnerability was publicly disclosed on July 2, 2020, following research by Securitum. A public proof-of-concept is available in the Securitum research report. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time, but the availability of a public PoC increases the risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.31% (54% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N3.7LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityHighConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentoctober/backend
Vendorosv
Affected rangeFixed in
>= 1.0.319, < 1.0.467 – >= 1.0.319, < 1.0.4671.0.320
1.0.3191.0.467

Package Information

Last updated
1.1.1255 months ago

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched -7 days after disclosure

Mitigation and Workarounds

The recommended mitigation for CVE-2020-4061 is to upgrade to October CMS Build 467 (v1.0.467) or later. If an immediate upgrade is not possible, a manual patch can be applied by applying the code changes available at https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5. Consider implementing Web Application Firewall (WAF) rules to filter potentially malicious input within the Froala rich editor. After applying the upgrade or patch, confirm the vulnerability is resolved by attempting to paste known malicious JavaScript payloads into the editor and verifying that they are not executed.

How to fix

Update October CMS to version 1.0.467 or higher. This version fixes the XSS vulnerability that allows malicious code execution when pasting content from untrusted websites into the Froala editor.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-4061 — XSS in October CMS?

CVE-2020-4061 is a Cross-Site Scripting (XSS) vulnerability in the October CMS backend, allowing malicious script injection via the Froala rich editor.

Am I affected by CVE-2020-4061 in October CMS?

You are affected if you are running October CMS versions ≤v1.0.466 and utilize the Froala rich editor in the backend.

How do I fix CVE-2020-4061 in October CMS?

Upgrade to October CMS Build 467 (v1.0.467) or apply the manual patch available at the provided GitHub link.

Is CVE-2020-4061 being actively exploited?

Active exploitation is not confirmed, but a public proof-of-concept exists, increasing the risk.

Where can I find the official October CMS advisory for CVE-2020-4061?

Refer to the October CMS advisory and research report: https://research.securitum.com/the-curious-case-of-copy-paste/

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs