CVE-2020-4061

Description

### Impact Pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. ### Patches Issue has been patched in Build 467 (v1.0.467). ### Workarounds Apply https://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5 to your installation manually if unable to upgrade to Build 467. ### References - https://research.securitum.com/the-curious-case-of-copy-paste/ ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) ### Threat Assessment Assessed as Low given that by the nature of the attack it can only impact users that do it to themselves by copying and pasting from malicious websites. ### Acknowledgements Thanks to [Michał Bentkowski of Securitum](https://research.securitum.com/authors/michal-bentkowski/) for finding the original issue in Froala and @tomaszstrojny for reporting the issue to the October CMS team.

Affected packages (1)

• Packagist/october/backend>= 1.0.319, < 1.0.467

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-4061
• WEBhttps://github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5
• WEBhttps://github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vg
• WEBhttps://research.securitum.com/the-curious-case-of-copy-paste