A user with the ability to use the import functionality of the ImportExportController
behavior could be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question
Issue has been patched in Build 466 (v1.0.466).
Apply https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.
Reported by Sivanesh Ashok
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
<img width="1100" alt="Screen Shot 2020-03-31 at 2 01 52 PM" src="https://user-images.githubusercontent.com/7253840/78070158-8f7ef580-7358-11ea-950c-226533f6a0a3.png">
{ "nvd_published_at": "2020-06-03T22:15:00Z", "github_reviewed_at": "2020-06-03T21:26:48Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-79", "CWE-87" ] }