OctoberCMS Web Application Open Source Dependency Vulnerability

OctoberCMS is a CMS similar to WordPress, but with much less “fluff”.

Our team identified the latest version of OctoberCMS relying on Bootstrap 3.3.7, jQuery 1.11.1, and jQuery 3.3.1.

All of these dependencies are vulnerable.

/october/themes/demo/assets/vendor/bootstrap.js

↳ bootstrap 3.3.7 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, 

CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy,

CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute,

CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE:

CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184

/october/themes/demo/assets/vendor/jquery.js

↳ jquery 1.11.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute,

CVE: CVE-2015-9251;
https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium;

CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers;

https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low;

CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution;

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

/october/modules/backend/assets/js/vendor/jquery-and-migrate.min.js

↳ jquery 3.3.1 has known vulnerabilities: severity: low; CVE:

CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution;

https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

All of these vulnerabilities were identified by RetireJS (https://retirejs.github.io/retire.js/), which identifies open source dependency vulnerabilities.

WordPress Version Number Disclosure

WordPress is a platform super popular for hackers, as it powers ~70% of the websites online.

The most common way they are hacked are due to outdated core versions of WordPress, insecure plugins, and insecure themes.

We decided to create a script that would allow us to quickly identify if a website was vulnerable to WordPress, based on its version number.

https://wpvulndb.com/wordpresses/ was our resource for creating an array in Golang to check against the version number we pulled from our internal WordPress version number identification script.

This script turned out to be FAST! It was our first time working with Golang, and the shear power of multithreading HTTP requests made it a game changer when monitoring & scanning millions of WordPress sites, to contact website owners & agencies with this vulnerability information, so we can prevent them from having to rely on a hacked website repair service or WordPress malware removal.