October CMS Stored Cross-Site Scripting Vulnerability in Backend Editor Markup Classes

A stored cross-site scripting vulnerability has been identified in October CMS versions prior to 3.7.14 and 4.1.10. The issue resides in the Backend Editor Settings, specifically within the Markup Classes fields, which are used for various styling purposes. These fields failed to properly sanitize input, allowing malicious values to be injected and subsequently rendered unsanitized in the Froala editor dropdown menus. This exploitation enabled the execution of JavaScript when a user opened a RichEditor. The vulnerability could lead to privilege escalation if a superuser accessed any RichEditor during normal content editing, such as blog post revisions. Exploitation requires authenticated backend access with editor settings permissions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the user opening the RichEditor. This could lead to privilege escalation if a superuser is targeted.

Remediation

Users are advised to upgrade to October CMS versions 3.7.14 or 4.1.10. If an immediate upgrade is not possible, restrict editor settings permissions to trusted administrators only.