प्लेटफ़ॉर्म
php
घटक
october/backend
में ठीक किया गया
1.0.320
1.0.467
CVE-2020-4061 describes a Cross-Site Scripting (XSS) vulnerability discovered in the October CMS backend. This vulnerability allows an attacker to inject malicious scripts by pasting content from compromised websites into the Froala rich editor. The vulnerability impacts versions of October CMS up to and including v1.0.466. A patch is available in Build 467 (v1.0.467).
The primary impact of CVE-2020-4061 is the potential for a self-XSS attack. An attacker could craft a malicious website containing JavaScript code designed to exploit this vulnerability. When a user with access to the October CMS backend pastes content from this malicious site into the Froala rich editor, the injected script will be executed within the user's browser context. This could lead to session hijacking, unauthorized access to sensitive data, or defacement of the website. The blast radius is limited to users with backend access, but the consequences of a successful attack can be significant.
This vulnerability was publicly disclosed on July 2, 2020, following research by Securitum. A public proof-of-concept is available in the Securitum research report. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed at this time, but the availability of a public PoC increases the risk of exploitation.
Administrators and developers with access to the October CMS backend are at risk. Sites utilizing the Froala rich editor within the backend are particularly vulnerable. Shared hosting environments where multiple websites share the same October CMS installation could also be affected, potentially impacting multiple users.
• php / server:
find /var/www/october/plugins/froala/ -name 'Froala.Editor.js' -exec grep -i 'eval(' {} + | less• generic web:
curl -I https://your-october-cms-site.com/backend/ | grep Content-TypeCheck for Content-Type headers that allow script execution.
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.31% (54% शतमक)
CVSS वेक्टर
The recommended mitigation for CVE-2020-4061 is to upgrade to October CMS Build 467 (v1.0.467) or later. If an immediate upgrade is not possible, a manual patch can be applied by applying the code changes available at https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5. Consider implementing Web Application Firewall (WAF) rules to filter potentially malicious input within the Froala rich editor. After applying the upgrade or patch, confirm the vulnerability is resolved by attempting to paste known malicious JavaScript payloads into the editor and verifying that they are not executed.
अक्टूबर सीएमएस को संस्करण 1.0.467 या उच्चतर में अपडेट करें। यह संस्करण एक्सएसएस (XSS) भेद्यता को ठीक करता है जो अविश्वसनीय वेबसाइटों से सामग्री को फ्रोला एडिटर में पेस्ट करके दुर्भावनापूर्ण कोड के निष्पादन की अनुमति देता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2020-4061 is a Cross-Site Scripting (XSS) vulnerability in the October CMS backend, allowing malicious script injection via the Froala rich editor.
You are affected if you are running October CMS versions ≤v1.0.466 and utilize the Froala rich editor in the backend.
Upgrade to October CMS Build 467 (v1.0.467) or apply the manual patch available at the provided GitHub link.
Active exploitation is not confirmed, but a public proof-of-concept exists, increasing the risk.
Refer to the October CMS advisory and research report: https://research.securitum.com/the-curious-case-of-copy-paste/
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।