OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting Vulnerability
Title: OctoberCMS v3.4.0 (Category) Stored Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2023-5806
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 03.12.2023
Docker 4.12.0 (85629)
PHP/8.1.6
[31.10.2023] Contact with the vendor.
[06.11.2023] Vendor asked for the details.
[07.11.2023] Sent details to the vendor.
[11.11.2023] Vendor asked for confirmation if the findings were within their scope.
[14.11.2023] Confirmed the issues are within the scope.
[20.11.2023] Vendor asked for further information on how exploits affect a public-facing website.
[22.11.2023] Explained about impact of the findings in detail.
[29.11.2023] Vendor didn't consider the findings as vulnerabilities.
[03.12.2023] Public security advisory released.
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-49525
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-49525
[20.12.2023] - Added reference [1], [2] and [3]
Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2023-5806
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 03.12.2023
Summary
OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.Description
OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to a category-creating feature that stores data persistently could create a stored XSS attack against any other users visiting the blog page. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.Vendor
October CMS - https://www.octobercms.comAffected Version
3.4.0Tested On
macOS Monterey 12.6.3Docker 4.12.0 (85629)
PHP/8.1.6
Vendor Status
[30.10.2023] Vulnerability discovered.[31.10.2023] Contact with the vendor.
[06.11.2023] Vendor asked for the details.
[07.11.2023] Sent details to the vendor.
[11.11.2023] Vendor asked for confirmation if the findings were within their scope.
[14.11.2023] Confirmed the issues are within the scope.
[20.11.2023] Vendor asked for further information on how exploits affect a public-facing website.
[22.11.2023] Explained about impact of the findings in detail.
[29.11.2023] Vendor didn't consider the findings as vulnerabilities.
[03.12.2023] Public security advisory released.
PoC
octobercms_xss(category).txtCredits
Vulnerability discovered by Nazli Soysal Kuran - <nazli@zeroscience.mk>References
[1] https://packetstormsecurity.com/files/176052/October-CMS-3.4.0-Category-Cross-Site-Scripting.html[2] https://nvd.nist.gov/vuln/detail/CVE-2023-49525
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-49525
Changelog
[03.12.2023] - Initial release[20.12.2023] - Added reference [1], [2] and [3]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk
