OctoberCMS is a CMS similar to WordPress, but with much less “fluffâ€. SECURELI.com's team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1. All of these dependencies are vulnerable. -------------------------------------------------- /october/themes/demo/assets/vendor/bootstrap.js bootstrap 3.3.7 has known vulnerabilities severity: high issue: 28236 summary: XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331 https://github.com/twbs/bootstrap/issues/28236 severity: medium issue: 20184 summary: XSS in data-target property of scrollspy CVE-2018-14041 https://github.com/twbs/bootstrap/issues/20184 severity: medium issue: 20184 summary: XSS in collapse data-parent attribute CVE-2018-14040 https://github.com/twbs/bootstrap/issues/20184 severity: medium issue: 20184 summary: XSS in data-container property of tooltip CVE-2018-14042 https://github.com/twbs/bootstrap/issues/20184 -------------------------------------------------- /october/themes/demo/assets/vendor/jquery.js jquery 1.11.1 has known vulnerabilities severity: medium issue: 2432 summary: 3rd party CORS request may execute CVE-2015-9251 https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium CVE-2015-9251 issue: 11974 summary: parseHTML() executes scripts in event handlers https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low CVE-2019-11358 summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b -------------------------------------------------- /october/modules/backend/assets/js/vendor/jquery-and-migrate.min.js jquery 3.3.1 has known vulnerabilities severity: low CVE-2019-11358 summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b All of these vulnerabilities were identified using RetireJS (https://retirejs.github.io/retire.js/), which identifies open source dependency vulnerabilities. Research provided by SECURELI.com