CVE-2025-61674 is a medium-severity cross-site scripting (XSS) vulnerability identified in October CMS, a popular content management system and web platform. The flaw exists in the backend configuration forms, specifically in the stylesheet input field under Markup Styles. Users with the Global Editor Settings permission can inject malicious HTML or JavaScript code into this input. Due to improper neutralization of input during web page generation (CWE-79), the injected code can break out of the intended <style> tag context, enabling arbitrary script execution on backend pages. This can lead to session hijacking, privilege escalation, or unauthorized actions performed by backend users. Exploitation requires authenticated access with elevated permissions and user interaction, limiting the attack surface to trusted users with specific roles. The vulnerability affects October CMS versions earlier than 3.7.13 and 4.0.12, where patches have been applied to sanitize inputs correctly. Although no active exploits have been reported, the potential impact on confidentiality and integrity of backend operations is significant, especially in environments where multiple administrators or editors manage content. The CVSS 3.1 score of 6.1 reflects the network attack vector, low attack complexity, requirement for privileges and user interaction, and high impact on confidentiality and integrity but no impact on availability.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of backend CMS operations. Attackers exploiting this flaw could execute arbitrary scripts in the context of backend users, potentially leading to session hijacking, unauthorized content changes, or further lateral movement within the organization’s infrastructure. This could result in data leakage, defacement, or manipulation of sensitive content managed via October CMS. Given that October CMS is used by various enterprises and public sector entities across Europe for website management, the risk extends to both private and governmental sectors. The requirement for authenticated access with elevated permissions limits exposure but does not eliminate risk, especially in environments with multiple editors or administrators. The absence of known exploits in the wild reduces immediate threat but does not preclude targeted attacks or insider threats. Organizations failing to patch may face reputational damage, compliance issues (e.g., GDPR if personal data is compromised), and operational disruptions due to compromised CMS backends.

European organizations using October CMS should immediately verify their version and upgrade to 3.7.13 or 4.0.12 or later where the vulnerability is patched. Beyond patching, organizations should audit user permissions to ensure only trusted personnel have Global Editor Settings access, minimizing the risk of insider exploitation. Implement strict input validation and content security policies (CSP) on backend interfaces to reduce the impact of potential XSS attacks. Regularly monitor backend logs for unusual activity or script injections. Employ multi-factor authentication (MFA) for backend access to reduce the risk of compromised credentials being used to exploit this vulnerability. Conduct security awareness training for administrators and editors to recognize suspicious behavior or phishing attempts that could lead to credential compromise. Finally, consider isolating backend CMS management interfaces from public networks or restricting access via VPN or IP whitelisting to reduce exposure.