GHSA-3PC2-FM7P-Q2VG

Vulnerability from github – Published: 2020-07-02 16:55 – Updated: 2021-03-04 18:26
VLAI?
Summary
Cross-site Scripting in October
Details

Impact

Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.

Patches

Issue has been patched in Build 467 (v1.0.467).

Workarounds

Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467.

References

  • https://research.securitum.com/the-curious-case-of-copy-paste/

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat Assessment

Assessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious websites.

Acknowledgements

Thanks to Michał Bentkowski of Securitum for finding the original issue in Froala and @tomaszstrojny for reporting the issue to the October CMS team.

Severity ?
3.7 (Low)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.319"
            },
            {
              "fixed": "1.0.467"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-4061"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-07-02T16:54:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nPasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack.\n\n### Patches\nIssue has been patched in Build 467 (v1.0.467).\n\n### Workarounds\nApply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467.\n\n### References\n- https://research.securitum.com/the-curious-case-of-copy-paste/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\nAssessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious websites.\n\n### Acknowledgements\n\nThanks to [Micha\u0142 Bentkowski of Securitum](https://research.securitum.com/authors/michal-bentkowski/) for finding the original issue in Froala and @tomaszstrojny for reporting the issue to the October CMS team.",
  "id": "GHSA-3pc2-fm7p-q2vg",
  "modified": "2021-03-04T18:26:09Z",
  "published": "2020-07-02T16:55:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4061"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5"
    },
    {
      "type": "WEB",
      "url": "https://research.securitum.com/the-curious-case-of-copy-paste"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting in October"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.