October CMS Stored Cross-Site Scripting Vulnerability in Event Log Mail Preview
Vulnerability
A stored cross-site scripting vulnerability has been identified in October CMS versions prior to 3.7.14 and 4.1.10. The issue arises in the Event Log mail preview feature, where HTML content from logged mail messages is rendered in an iframe without proper sandboxing. This flaw allows for the execution of JavaScript in the context of the viewer's browser. The vulnerability could lead to privilege escalation if a superuser views a malicious log entry, as it requires authenticated backend access with mail template editing permissions.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where malicious JavaScript is executed in the context of the user's browser. This could be particularly harmful if a superuser is tricked into viewing a compromised log entry, potentially leading to unauthorized privilege escalation.
Remediation
Users are advised to upgrade to October CMS versions 3.7.14 or 4.1.10. If an immediate upgrade is not possible, mail template editing permissions should be restricted to trusted administrators, and Event Log viewing permissions should be limited to reduce exposure.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.