5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-44383

GHSA ID

GHSA-rvx8-p3xp-fj3p

EPSS Score

0.75099%

CWE

CWE-79

Published

11/29/2023

Updated

11/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-44383

CVE-2023-44383: October CMS stored XSS by authenticated backend user with improper configuration

Impact

A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported.

SVG files are supported by default in v3 for convenience; however, this has resulted in multiple mistaken vulnerability reports from security researchers. As per the documentation, if a backend user is not trusted, the advice is to remove the svg extension from the list of supported file types.

Patches

The issue has been patched in v3.5.2 by including an SVG sanister. It is enabled by default for new installations but must be enabled for existing sites in the config/media.php file.

'clean_vectors' => true,

Workarounds

If you cannot upgrade for this patch, follow the pervious advice and remove svg from the supported file types.

References

https://github.com/octobercms/october/blob/3.x/config/media.php

Credits to:

Faris Krivic
Okan Kurtulus
Aldin Visnjic
Bug Shankar

For more information

If you have any questions or comments about this advisory:

Email us at hello@octobercms.com

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-44383

GHSA ID

GHSA-rvx8-p3xp-fj3p

EPSS Score

0.75099%

CWE

CWE-79

Published

11/29/2023

Updated

11/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/system	composer	>= 3.0.0, < 3.5.2	3.5.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper sanitization of SVG file uploads in the media manager component. While the patch introduces a 'clean_vectors' configuration to enable sanitization, the advisory and commit diff don't explicitly identify specific processing functions in the codebase. The vulnerability manifests due to the absence of sanitization logic in SVG handling routines when the configuration is disabled, but without access to the exact file processing functions in October CMS's MediaManager component (which isn't shown in provided diffs or descriptions), we can't confidently name specific vulnerable functions. The root cause is a missing security control (sanitization) rather than a clearly identifiable vulnerable function signature.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * us*r wit* ****ss to t** m**i* m*n***r t**t stor*s SV* *il*s *oul* *r**t* * stor** XSS *tt**k ***inst t**ms*lv*s *n* *ny ot**r us*r wit* ****ss to t** m**i* m*n***r w**n SV* *il*s *r* support**. SV* *il*s *r* support** *y ****ult in v*

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* SV* *il* uplo**s in t** m**i* m*n***r *ompon*nt. W*il* t** p*t** intro*u**s * '*l**n_v**tors' *on*i*ur*tion to *n**l* s*nitiz*tion, t** **visory *n* *ommit *i** *on't *xpli*itly i**nti*y sp**i*i*

5.4

Basic Information

Concerned about an active attack path?

CVE-2023-44383: October CMS stored XSS by authenticated backend user with improper configuration

Impact

Patches

Workarounds

References

For more information

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI