CVE-2026-24907
MEDIUM5.4EPSS 0.04%October CMS has Stored XSS in Event Log Mail Preview
描述
A stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. ### Impact - Stored XSS via mail template content rendered in Event Log - Could allow privilege escalation if a superuser views a malicious log entry - Requires authenticated backend access with mail template editing permissions - Requires a superuser to view the specific Event Log entry to trigger ### Patches The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version. ### Workarounds If upgrading immediately is not possible: - Restrict mail template editing permissions to fully trusted administrators only - Restrict Event Log viewing permissions to minimize exposure ### References - Reported by [Chris Alupului](https://github.com/neosprings)
受影響套件(1)
- Packagist/october/system>= 4.0.0, < 4.1.10
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |