CVE-2020-4061: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

July 2, 2020 (updated March 4, 2021)

In October from version 1.0.319 and before version 1.0.467, pasting content copied from malicious websites into the Froala richeditor could result in a successful self-XSS attack. This has been fixed in 1.0.467.

References

github.com/advisories/GHSA-3pc2-fm7p-q2vg
github.com/octobercms/october/commit/b384954a29b89117e1c0d6035b3ede4f46df67c5
github.com/octobercms/october/security/advisories/GHSA-3pc2-fm7p-q2vg
nvd.nist.gov/vuln/detail/CVE-2020-4061
research.securitum.com/the-curious-case-of-copy-paste/

Code Behaviors & Features

Detect and mitigate CVE-2020-4061 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →