CVE-2025-61676
MEDIUM6.1EPSS 0.07%October CMS Vulnerable to Stored XSS via Branding Styles
Description
A cross-site scripting (XSS) vulnerabilities was identified in October CMS backend configuration forms: - **Branding and Appearances Styles** A user with the `Customize Backend Styles` permission could inject malicious HTML/JS into the stylesheet input at *Settings → Branding & Appearance → Styles*. A specially crafted input could break out of the intended `<style>` context, allowing arbitrary script execution across backend pages for all users. --- ### Impact - Persistent XSS across the backend interface. - Exploitable by lower-privileged accounts with the above permissions. - Potential consequences include privilege escalation, session hijacking, and execution of unauthorized actions in victim sessions. --- ### Patches The vulnerability has been patched in **v4.0.12** and **v3.7.13**. Stylesheet inputs are now sanitized to prevent injection of arbitrary HTML/JS. All users are strongly encouraged to upgrade to the latest patched version. --- ### Workarounds If upgrading immediately is not possible: - Restrict the permissions `Customize Backend Styles` to fully trusted administrators only. This reduces exposure but does not fully eliminate risk. --- ### Credits - Reported by **[Nakkouch Tarek](https://github.com/nakkouchtarek)**
Affected packages (1)
- Packagist/october/systemfrom 0, < 3.7.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N |