← Advisories

OctoberCMS v3.4.0 (Author) Stored Cross-Site Scripting Vulnerability

Medium
Advisory ID
ZSL-2023-5804
Release Date
03 December 2023
Vendor
October CMS - https://www.octobercms.com
Affected Version
3.4.0
CVE
CVE-2023-49523
Tested On
macOS Monterey 12.6.3, Docker 4.12.0 (85629), PHP/8.1.6
Summary

OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.

Description

OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to be an author feature could perform a stored XSS attack against any other users visiting the posts by the author. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Proof of Concept
octobercms_xss(author).txtTXT
Disclosure Timeline
30.10.2023Vulnerability discovered.
31.10.2023Contact with the vendor.
06.11.2023Vendor asked for the details.
07.11.2023Sent details to the vendor.
11.11.2023Vendor asked for confirmation if the findings were within their scope.
14.11.2023Confirmed the issues are within the scope.
20.11.2023Vendor asked for further information on how exploits affect a public-facing website.
22.11.2023Explained about impact of the findings in detail.
29.11.2023Vendor didn't consider the findings as vulnerabilities.
03.12.2023Public security advisory released.
Credits
Vulnerability discovered by Nazli Soysal Kuran
References
[1]https://nvd.nist.gov/vuln/detail/CVE-2023-49523
[2]https://packetstormsecurity.com/files/176050/October-CMS-3.4.0-Author-Cross-Site-Scripting.html
[3]https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-49523
Changelog
03.12.2023Initial release
20.12.2023Added reference [1], [2] and [3]