[GHSA-2g8p-j2r6-vqpj] October Cross-site Scripting vulnerability

[daftspunk]

Updates

• Affected products
• Description
• Severity
• Source code location

Comments
This vulnerability is related to the October CMS installer (not October CMS the platform). These files are deleted when the installer finishes its process. This also was not responsibly disclosed to the October CMS team.

[daftspunk]

Related issue: sromanhu/CVE-2023-43876-October-CMS-Reflected-XSS---Installation#1

[daftspunk]

Please resolve this using the following commit: octobercms/install@ef1225b

[shelbyc]

@daftspunk Thanks for following up with a fix commit! Before I make any changes to the advisory, is there any way for users of octobercms/october to update to the fix commit octobercms/install@ef1225b by updating the octobercms/october Composer package? If so, we want to list octobercms/october in the advisory. If they have to update in a way that has nothing to do with the octobercms/october Composer package, we'll note that the package that needs to be updated isn't in the Composer ecosystem.

[daftspunk]

is there any way for users of octobercms/october to update to the fix commit ef1225b5596b7c2eb5ca3aa700a23e9f8acf387b by updating the octobercms/october Composer package?

Negative. The files are not included octobercms/october and the package is not part of the composer ecosystem.

Thank you for resolving this.

[advisory-database]

Hi @daftspunk! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!