Cross-site Scripting (XSS) - Stored in octobercms/library
Apr 3rd 2021
OctoberCMS uses october/rain library to handle file uploads. Previously it was possible to upload malicious files with HTML content to the CMS via its Media upload feature. This security issue marked as CVE-2020-15249 was fixed in 1.0.469. But it is still possible to upload XML files. Since browsers render XML files depending on their XML namespace, we can create an XSS from within an XML file.
🕵️♂️ Proof of Concept
While logged in as a user with upload privileges, visit
backend/backend/media and upload an XML file with the following content:
// PoC.xml <script xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg"> alert('xss'); </script>
The file gets uploaded at
This vulnerability is capable of Stored Cross Site Scripting which can be leveraged to perform account takeover, privilege escalation, Server Side Template Injection, and can also be chained with some other vulnerability to gain remote code execution.