LOWCVE-2020-4061CVSS 3.7

CVE-2020-4061: XSS in October CMS Backend

Q: What is CVE-2020-4061 — XSS in October CMS?

CVE-2020-4061 is a Cross-Site Scripting (XSS) vulnerability in the October CMS backend, allowing malicious script injection via the Froala rich editor.

Q: Am I affected by CVE-2020-4061 in October CMS?

You are affected if you are running October CMS versions ≤v1.0.466 and utilize the Froala rich editor in the backend.

Q: How do I fix CVE-2020-4061 in October CMS?

Upgrade to October CMS Build 467 (v1.0.467) or apply the manual patch available at the provided GitHub link.

Q: Is CVE-2020-4061 being actively exploited?

Active exploitation is not confirmed, but a public proof-of-concept exists, increasing the risk.

Q: Where can I find the official October CMS advisory for CVE-2020-4061?

Refer to the October CMS advisory and research report: https://research.securitum.com/the-curious-case-of-copy-paste/

Platform

php

Component

october/backend

Fixed in

1.0.320

1.0.467

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026

View on NVD

Save

CVE-2020-4061 describes a Cross-Site Scripting (XSS) vulnerability discovered in the October CMS backend. This vulnerability allows an attacker to inject malicious scripts by pasting content from compromised websites into the Froala rich editor. The vulnerability impacts versions of October CMS up to and including v1.0.466. A patch is available in Build 467 (v1.0.467).

Impact and Attack Scenarios

The primary impact of CVE-2020-4061 is the potential for a self-XSS attack. An attacker could craft a malicious website containing JavaScript code designed to exploit this vulnerability. When a user with access to the October CMS backend pastes content from this malicious site into the Froala rich editor, the injected script will be executed within the user's browser context. This could lead to session hijacking, unauthorized access to sensitive data, or defacement of the website. The blast radius is limited to users with backend access, but the consequences of a successful attack can be significant.

Exploitation Context

This vulnerability was publicly disclosed on July 2, 2020, following research by Securitum. A public proof-of-concept is available in the Securitum research report. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time, but the availability of a public PoC increases the risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.31% (54% percentile)

CVSS Vector

Affected Software

Componentoctober/backend

Vendorosv

Affected rangeFixed in

>= 1.0.319, < 1.0.467 – >= 1.0.319, < 1.0.4671.0.320

1.0.3191.0.467

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2019-12-30
Published2020-07-02
Modified2026-03-13
EPSS updated2026-04-02

Patched -7 days after disclosure

Mitigation and Workarounds

The recommended mitigation for CVE-2020-4061 is to upgrade to October CMS Build 467 (v1.0.467) or later. If an immediate upgrade is not possible, a manual patch can be applied by applying the code changes available at https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5. Consider implementing Web Application Firewall (WAF) rules to filter potentially malicious input within the Froala rich editor. After applying the upgrade or patch, confirm the vulnerability is resolved by attempting to paste known malicious JavaScript payloads into the editor and verifying that they are not executed.

How to fix

Update October CMS to version 1.0.467 or higher. This version fixes the XSS vulnerability that allows malicious code execution when pasting content from untrusted websites into the Froala editor.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2020-4061 — XSS in October CMS?