OctoberCMS is a CMS similar to WordPress, but with much less “fluffâ€. SECURELI.com's team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1. All of these dependencies are vulnerable.
--------------------------------------------------
/october/themes/demo/assets/vendor/bootstrap.js
bootstrap 3.3.7 has known vulnerabilities
severity: high
issue: 28236
summary: XSS in data-template, data-content and data-title properties of tooltip/popover
CVE-2019-8331
https://github.com/twbs/bootstrap/issues/28236
severity: medium
issue: 20184
summary: XSS in data-target property of scrollspy
CVE-2018-14041
https://github.com/twbs/bootstrap/issues/20184
severity: medium
issue: 20184
summary: XSS in collapse data-parent attribute
CVE-2018-14040
https://github.com/twbs/bootstrap/issues/20184
severity: medium
issue: 20184
summary: XSS in data-container property of tooltip
CVE-2018-14042
https://github.com/twbs/bootstrap/issues/20184
--------------------------------------------------
/october/themes/demo/assets/vendor/jquery.js
jquery 1.11.1 has known vulnerabilities
severity: medium
issue: 2432
summary: 3rd party CORS request may execute
CVE-2015-9251
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
severity: medium
CVE-2015-9251
issue: 11974
summary: parseHTML() executes scripts in event handlers
https://bugs.jquery.com/ticket/11974
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
http://research.insecurelabs.org/jquery/test/
severity: low
CVE-2019-11358
summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
--------------------------------------------------
/october/modules/backend/assets/js/vendor/jquery-and-migrate.min.js
jquery 3.3.1 has known vulnerabilities
severity: low
CVE-2019-11358
summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
All of these vulnerabilities were identified using RetireJS (https://retirejs.github.io/retire.js/), which identifies open source dependency vulnerabilities.
Research provided by SECURELI.com