ghsa-rvx8-p3xp-fj3p
Vulnerability from github
Published
2023-11-29 21:45
Modified
2023-11-29 21:45
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
October CMS stored XSS by authenticated backend user with improper configuration
Details

Impact

A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported.

SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the svg extension from the list of supported file types.

Patches

The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the config/media.php file.

'clean_vectors' => true,

Workarounds

If you cannot upgrade for this patch, follow the pervious advice and remove svg from the supported file types.

References

  • https://github.com/octobercms/october/blob/3.x/config/media.php

Credits to: - Faris Krivic - Okan Kurtulus - Aldin Visnjic - Bug Shankar

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-44383"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-29T21:45:31Z",
    "nvd_published_at": "2023-11-29T20:15:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported.\n\nSVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the `svg` extension from the list of supported file types.\n\n### Patches\n\nThe issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the **config/media.php** file.\n\n```\n\u0027clean_vectors\u0027 =\u003e true,\n```\n\n### Workarounds\n\nIf you cannot upgrade for this patch, follow the pervious advice and remove `svg` from the supported file types.\n\n### References\n\n- https://github.com/octobercms/october/blob/3.x/config/media.php\n\nCredits to:\n- Faris Krivic\n- Okan Kurtulus\n- Aldin Visnjic\n- Bug Shankar\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n",
  "id": "GHSA-rvx8-p3xp-fj3p",
  "modified": "2023-11-29T21:45:31Z",
  "published": "2023-11-29T21:45:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-rvx8-p3xp-fj3p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44383"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/commit/b7eed0bbf54d07ff310fcdc7037a8e8bf1f5043b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "October CMS stored XSS by authenticated backend user with improper configuration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.