CVE-2025-61676 is a cross-site scripting (XSS) vulnerability classified under CWE-79, found in October CMS, a popular content management system and web platform. The vulnerability exists in backend configuration forms, specifically in the stylesheet input field under the Branding & Appearance settings. Users who possess the 'Customize Backend Styles' permission can inject malicious HTML or JavaScript code into this input. The issue arises because the input is embedded within a <style> tag context without proper sanitization or neutralization, allowing crafted inputs to break out of the style context and execute arbitrary scripts on backend pages. This can lead to unauthorized script execution affecting all backend users who access these pages. The vulnerability affects October CMS versions from 4.0.0 up to but not including 4.0.12, and versions below 3.7.13. The CVSS v3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring high privileges and user interaction, and impacting confidentiality and integrity but not availability. No known exploits are reported in the wild as of the publication date. The issue was patched in versions 3.7.13 and 4.0.12, which properly sanitize or restrict the stylesheet input to prevent script injection.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of backend systems managed via October CMS. If exploited, attackers with backend style customization permissions could execute arbitrary JavaScript, potentially leading to session hijacking, credential theft, or unauthorized actions within the CMS backend. This could compromise sensitive content management workflows, internal administrative controls, and potentially lead to further lateral movement within the network. Organizations with multiple backend users or delegated style customization roles are particularly vulnerable. While availability is not directly impacted, the breach of backend integrity and confidentiality can have significant operational and reputational consequences. Given the medium severity and the requirement for authenticated users with specific permissions, the threat is moderate but should not be underestimated, especially in sectors like government, finance, and media where CMS integrity is critical.

1. Immediately upgrade October CMS installations to version 3.7.13 or 4.0.12 or later, where the vulnerability is patched. 2. Restrict the 'Customize Backend Styles' permission to only trusted and essential personnel to minimize the risk of malicious input. 3. Conduct an audit of existing backend style inputs to detect any suspicious or unauthorized scripts. 4. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the backend environment. 5. Monitor backend logs for unusual activity related to style customization or script execution. 6. Educate backend users with style customization permissions about the risks of injecting untrusted content. 7. Consider isolating backend administrative interfaces behind VPNs or IP whitelisting to reduce exposure. 8. Regularly review and update CMS plugins and extensions to ensure compatibility and security.