Impact
A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.
Patches
Issue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the backend.allow_unsafe_markdown
permission.
Workarounds
Apply octobercms/october@9ecfb48 & rainlab/blog-plugin@6ae19a6 to your installation manually if unable to upgrade to Build 466 or v1.4.1 of RainLab.Blog (if using that plugin).
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
Threat assessment:
### References
- https://github.com/octobercms/october/security/advisories/
GHSA-w4pj-7p68-3vgv
- https://nvd.nist.gov/vuln/detail/
CVE-2020-11083
- https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746
- https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94
- http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html
- http://seclists.org/fulldisclosure/2020/Aug/2
Impact
A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field.
Patches
Issue has been patched in Build 466 (v1.0.466) & RainLab.Blog v1.4.1 by restricting the ability to store JS in markdown to only users that have been explicitly granted the
backend.allow_unsafe_markdown
permission.Workarounds
Apply octobercms/october@9ecfb48 & rainlab/blog-plugin@6ae19a6 to your installation manually if unable to upgrade to Build 466 or v1.4.1 of RainLab.Blog (if using that plugin).
References
Reported by Sivanesh Ashok
For more information
If you have any questions or comments about this advisory:
Threat assessment:
### References - https://github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgv - https://nvd.nist.gov/vuln/detail/CVE-2020-11083 - https://github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746 - https://github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94 - http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html - http://seclists.org/fulldisclosure/2020/Aug/2