OctoberCMS on 办公AI智能小助手 https://blog.qife122.com/tags/octobercms/ Recent content in OctoberCMS on 办公AI智能小助手 Hugo zh-cn qife Mon, 12 Jan 2026 07:56:42 +0800 October CMS 存储型XSS漏洞解析:编辑器与品牌样式配置的风险 https://blog.qife122.com/p/october-cms-%E5%AD%98%E5%82%A8%E5%9E%8Bxss%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%E7%BC%96%E8%BE%91%E5%99%A8%E4%B8%8E%E5%93%81%E7%89%8C%E6%A0%B7%E5%BC%8F%E9%85%8D%E7%BD%AE%E7%9A%84%E9%A3%8E%E9%99%A9/ Mon, 12 Jan 2026 07:56:42 +0800 https://blog.qife122.com/p/october-cms-%E5%AD%98%E5%82%A8%E5%9E%8Bxss%E6%BC%8F%E6%B4%9E%E8%A7%A3%E6%9E%90%E7%BC%96%E8%BE%91%E5%99%A8%E4%B8%8E%E5%93%81%E7%89%8C%E6%A0%B7%E5%BC%8F%E9%85%8D%E7%BD%AE%E7%9A%84%E9%A3%8E%E9%99%A9/ <h3 id="漏洞概述">漏洞概述</h3> <p>在 <strong>October CMS</strong> 的后台配置表单中发现了一处<strong>存储型跨站脚本(Stored XSS)</strong> 漏洞(编号:CVE-2025-61674)。该漏洞影响编辑器设置和品牌样式配置,可被具有特定权限的用户利用,从而在后台界面所有用户的上下文中执行任意脚本。</p> October CMS 品牌样式存储型XSS漏洞详解 https://blog.qife122.com/p/october-cms-%E5%93%81%E7%89%8C%E6%A0%B7%E5%BC%8F%E5%AD%98%E5%82%A8%E5%9E%8Bxss%E6%BC%8F%E6%B4%9E%E8%AF%A6%E8%A7%A3/ Mon, 12 Jan 2026 05:32:09 +0800 https://blog.qife122.com/p/october-cms-%E5%93%81%E7%89%8C%E6%A0%B7%E5%BC%8F%E5%AD%98%E5%82%A8%E5%9E%8Bxss%E6%BC%8F%E6%B4%9E%E8%AF%A6%E8%A7%A3/ <h2 id="漏洞概要">漏洞概要</h2> <p><strong>漏洞名称</strong>: October CMS 存储型XSS漏洞(通过品牌样式) <strong>CVE编号</strong>: CVE-2025-61676 <strong>严重等级</strong>: 中等(CVSS评分6.1) <strong>影响范围</strong>:</p> <ul> <li>October CMS v3.x: &lt;= 3.7.12</li> <li>October CMS v4.x: &gt;= 4.0.0, &lt;= 4.0.11</li> </ul> <h2 id="漏洞详情">漏洞详情</h2> <h3 id="漏洞位置">漏洞位置</h3> <p>October CMS后端配置表单中的“品牌与外观样式”功能。</p>