CVE-2020-5298

Name of the Vulnerable Software and Affected Versions OctoberCMS versions 1.0.319 through 1.0.465

Description A user with the ability to use the import functionality of the ImportExportController behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file, which could result in a reflected XSS attack on the user in question.

Recommendations For versions 1.0.319 through 1.0.465, update to Build 466 (v1.0.466) to resolve the issue. As a temporary workaround, apply the patch from https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c to your installation manually if unable to upgrade to Build 466.