CVE-2021-21265

Name of the Vulnerable Software and Affected Versions: October versions prior to 1.1.2

Description: The issue exists in October when running on poorly configured servers, where the server routes any request, regardless of the HOST header, to an October CMS instance. This allows for Host Header Poisoning attacks to succeed. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. To mitigate the risk, it is recommended to configure the web server to only allow known hostnames.

Recommendations: For versions prior to 1.1.2, update to version 1.1.2, which adds a feature to allow a set of trusted hosts to be specified in the application. As a temporary workaround, set the configuration setting cms.linkPolicy to force. Apply the manual patches from https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 and https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation if unable to upgrade to v1.1.2. Check that your web server does not accept any hostname when serving your web application by adding an entry called testing.tld to your computer's host file, directing it to your server's IP address, and ensuring an October CMS website is not available at this address. If an October CMS website is returned, configure your web server to only allow known hostnames.