Low severityNVD Advisory· Published Jul 14, 2020· Updated Aug 4, 2024
Stored XSS in October
CVE-2020-11083
Description
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/backendPackagist | >= 1.0.319, < 1.0.466 | 1.0.466 |
Affected products
2- Range: >= 1.0.319, < 1.0.466
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-w4pj-7p68-3vgvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11083ghsaADVISORY
- packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2020/Aug/2ghsamailing-listx_refsource_FULLDISCWEB
- github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746ghsax_refsource_MISCWEB
- github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgvghsax_refsource_CONFIRMWEB
- github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.