CVE-2021-32649

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions October CMS versions prior to 1.0.473 and 1.1.6

Description The issue allows an attacker with "create, modify and delete website pages" privileges in the backend to execute PHP code by running specially crafted Twig code in the template markup.

Recommendations For versions prior to 1.0.473, update to version 1.0.473 or apply the patch to the installation manually as a workaround. For versions prior to 1.1.6, update to version 1.1.6 or apply the patch to the installation manually as a workaround.

Fix

Special Elements Injection

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-94

Related Identifiers

CVE-2021-32649

GHSA-WV23-PFJ7-2MJJ

Affected Products

October Cms

CVE-2021-32649

Weakness Enumeration

Related Identifiers

Affected Products

References · 7