OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting Vulnerability

Title: OctoberCMS v3.4.0 (Wiki_article) Stored Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2023-5807
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 03.12.2023
Summary
OctoberCMS is a self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back end and uses a flat file database for the front end structure. The October CMS covers a range of capabilities such as users, permissions, themes, and plugins, and is seen as a simpler alternative to WordPress.
Description
OctoberCMS suffers from stored cross-site scripting vulnerability when a user with the ability to create an article could perform a stored XSS attack against any other users with the ability to create an article. This can lead to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.
Vendor
October CMS - https://www.octobercms.com
Affected Version
3.4.0
Tested On
macOS Monterey 12.6.3
Docker 4.12.0 (85629)
PHP/8.1.6
Vendor Status
[30.10.2023] Vulnerability discovered.
[31.10.2023] Contact with the vendor.
[06.11.2023] Vendor asked for the details.
[07.11.2023] Sent details to the vendor.
[11.11.2023] Vendor asked for confirmation if the findings were within their scope.
[14.11.2023] Confirmed the issues are within the scope.
[20.11.2023] Vendor asked for further information on how exploits affect a public-facing website.
[22.11.2023] Explained about impact of the findings in detail.
[29.11.2023] Vendor didn't consider the findings as vulnerabilities.
[03.12.2023] Public security advisory released.
PoC
octobercms_xss(wiki_article).txt
Credits
Vulnerability discovered by Nazli Soysal Kuran - <nazli@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/176053/October-CMS-3.4.0-Wiki-Article-Cross-Site-Scripting.html
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-49524
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-49524
Changelog
[03.12.2023] - Initial release
[20.12.2023] - Added reference [1], [2] and [3]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk