October CMS Cross-Site Scripting Vulnerability in Backend Configuration Forms

A cross-site scripting (XSS) vulnerability has been identified in October CMS versions 3.7.12 and prior, as well as 4.0.11 and prior. The issue resides in the backend configuration forms, specifically within the Editor Settings Markup Styles section. Users with the Global Editor Settings permission could inject malicious HTML or JavaScript into the stylesheet input. This crafted input could escape the intended <style> context, enabling arbitrary script execution across backend pages for all users.

Impact

Exploitation of this vulnerability leads to persistent cross-site scripting across the backend interface. It can be exploited by lower-privileged accounts with Global Editor Settings permissions, potentially allowing privilege escalation, session hijacking, and execution of unauthorized actions in victim sessions.

Remediation

Users are advised to upgrade to October CMS versions 3.7.13 or 4.0.12, where this vulnerability has been patched. For those unable to upgrade immediately, it is recommended to restrict Global Editor Settings permissions to trusted administrators only.