Low severityNVD Advisory· Published Jul 14, 2020· Updated Aug 4, 2024

Stored XSS in October

CVE-2020-11083

Description

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of the RainLab.Blog plugin, this has also been fixed in 1.4.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
october/backendPackagist	>= 1.0.319, < 1.0.466	1.0.466

Affected products

Octobercms/Octoberv5
Range: >= 1.0.319, < 1.0.466

Patches

6ae19a6e16ef

Implement support for backend.allow_unsafe_markdown and improve support for Swoole

https://github.com/rainlab/blog-pluginLuke TowersMay 26, 2020via ghsa

commit

2 files changed · +33 −7

formwidgets/BlogMarkdown.php+27 −7 modified

@@ -20,6 +20,9 @@
  */
 class BlogMarkdown extends MarkdownEditor
 {
+    /**
+     * {@inheritDoc}
+     */
     public function init()
     {
         $this->viewPath = base_path().'/modules/backend/formwidgets/markdowneditor/partials';
@@ -29,12 +32,28 @@ public function init()
         parent::init();
     }
 
+    /**
+     * {@inheritDoc}
+     */
     protected function loadAssets()
     {
         $this->assetPath = '/modules/backend/formwidgets/markdowneditor/assets';
         parent::loadAssets();
     }
 
+    /**
+     * Disable HTML cleaning on the widget level since the PostModel will handle it
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        return false;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
     public function onRefresh()
     {
         $content = post($this->formField->getName());
@@ -46,6 +65,11 @@ public function onRefresh()
         ];
     }
 
+    /**
+     * Handle images being uploaded to the blog post
+     *
+     * @return void
+     */
     protected function checkUploadPostback()
     {
         if (!post('X_BLOG_IMAGE_UPLOAD')) {
@@ -90,11 +114,9 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
+            $this->controller->setResponse($response);
 
-            die();
-        }
-        catch (Exception $ex) {
+        } catch (Exception $ex) {
             $message = $uploadedFileName
                 ? Lang::get('cms::lang.asset.error_uploading_file', ['name' => $uploadedFileName, 'error' => $ex->getMessage()])
                 : $ex->getMessage();
@@ -105,9 +127,7 @@ protected function checkUploadPostback()
             ];
 
             $response = Response::make()->setContent($result);
-            $response->send();
-
-            die();
+            $this->controller->setResponse($response);
         }
     }
 }

models/Post.php+6 −0 modified

@@ -189,6 +189,12 @@ public static function formatHtml($input, $preview = false)
     {
         $result = Markdown::parse(trim($input));
 
+        // Check to see if the HTML should be cleaned from potential XSS
+        $user = BackendAuth::getUser();
+        if (!$user || !$user->hasAccess('backend.allow_unsafe_markdown')) {
+            $result = Html::clean($result);
+        }
+
         if ($preview) {
             $result = str_replace('<pre>', '<pre class="prettyprint">', $result);
         }

9ecfb4867baa

Add new backend.allow_unsafe_markdown permission

https://github.com/octobercms/octoberLuke TowersMay 26, 2020via ghsa

commit

3 files changed · +46 −6

modules/backend/formwidgets/MarkdownEditor.php+38 −5 modified

@@ -1,7 +1,8 @@
 <?php namespace Backend\FormWidgets;
 
-use BackendAuth;
+use Html;
 use Markdown;
+use BackendAuth;
 use Backend\Classes\FormWidgetBase;
 
 /**
@@ -42,12 +43,12 @@ class MarkdownEditor extends FormWidgetBase
     //
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     protected $defaultAlias = 'markdown';
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     public function init()
     {
@@ -60,7 +61,7 @@ public function init()
     }
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     public function render()
     {
@@ -84,7 +85,7 @@ public function prepareVars()
     }
 
     /**
-     * @inheritDoc
+     * {@inheritDoc}
      */
     protected function loadAssets()
     {
@@ -93,13 +94,45 @@ protected function loadAssets()
         $this->addJs('/modules/backend/formwidgets/codeeditor/assets/js/build-min.js', 'core');
     }
 
+    /**
+     * Check to see if the generated HTML should be cleaned to remove any potential XSS
+     *
+     * @return boolean
+     */
+    protected function shouldCleanHtml()
+    {
+        $user = BackendAuth::getUser();
+        return !$user || !$user->hasAccess('backend.allow_unsafe_markdown');
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function getSaveValue($value)
+    {
+        if ($this->shouldCleanHtml()) {
+            $value = Html::clean($value);
+        }
+
+        return $value;
+    }
+
+    /**
+     * AJAX handler to render the markdown as HTML
+     *
+     * @return array ['preview' => $generatedHTML]
+     */
     public function onRefresh()
     {
         $value = post($this->getFieldName());
         $previewHtml = $this->safe
             ? Markdown::parseSafe($value)
             : Markdown::parse($value);
 
+        if ($this->shouldCleanHtml()) {
+            $previewHtml = Html::clean($previewHtml);
+        }
+
         return [
             'preview' => $previewHtml
         ];

modules/backend/lang/en/lang.php+1 −0 modified

@@ -567,6 +567,7 @@
     ],
     'permissions' => [
         'manage_media' => 'Upload and manage media contents - images, videos, sounds, documents',
+        'allow_unsafe_markdown' => 'Use unsafe Markdown (can use HTML & JS)',
     ],
     'mediafinder' => [
         'label' => 'Media Finder',

modules/backend/ServiceProvider.php+7 −1 modified

@@ -4,6 +4,7 @@
 use Backend;
 use BackendMenu;
 use BackendAuth;
+use Backend\Models\UserRole;
 use Backend\Classes\WidgetManager;
 use System\Classes\MailManager;
 use System\Classes\CombineAssets;
@@ -168,7 +169,12 @@ protected function registerBackendPermissions()
                 'media.manage_media' => [
                     'label' => 'backend::lang.permissions.manage_media',
                     'tab' => 'system::lang.permissions.name',
-                ]
+                ],
+                'backend.allow_unsafe_markdown' => [
+                    'label' => 'backend::lang.permissions.allow_unsafe_markdown',
+                    'tab' => 'system::lang.permissions.name',
+                    'roles' => UserRole::CODE_DEVELOPER,
+                ],
             ]);
         });
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-w4pj-7p68-3vgvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-11083ghsaADVISORY
packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.htmlghsax_refsource_MISCWEB
seclists.org/fulldisclosure/2020/Aug/2ghsamailing-listx_refsource_FULLDISCWEB
github.com/octobercms/october/commit/9ecfb4867baae14a0d3f99f5b5c1e8a979ae8746ghsax_refsource_MISCWEB
github.com/octobercms/october/security/advisories/GHSA-w4pj-7p68-3vgvghsax_refsource_CONFIRMWEB
github.com/rainlab/blog-plugin/commit/6ae19a6e16ef3ba730692bc899851342c858bb94ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000