PT-2022-10090 · Unknown · October Cms
Sushiwushi
·
Published
2022-01-14
·
Updated
2022-08-05
·
CVE-2021-32650
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
October CMS versions prior to 1.0.473 and 1.1.6
Description
October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. An attacker with access to the backend can execute PHP code by using the theme import feature, bypassing the safe mode feature that prevents PHP execution in the CMS templates.
Recommendations
For versions prior to 1.0.473, upgrade to version 1.0.473 or apply the patch to the installation manually as a workaround.
For versions prior to 1.1.6, upgrade to version 1.1.6 or apply the patch to the installation manually as a workaround.
As a temporary workaround, consider restricting access to the theme import feature until a patch is applied.
Exploit
Fix
Special Elements Injection
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
October Cms