CVE-2022-21705

Name of the Vulnerable Software and Affected Versions Octobercms versions prior to 1.0.474 Octobercms versions prior to 1.1.10

Description Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions, user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can exploit this issue to bypass cms.safe mode / cms.enableSafeMode in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this issue, an attacker must first have access to the backend area.

Recommendations For versions prior to 1.0.474, update to Build 474 (v1.0.474) or apply the patch from https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually. For versions prior to 1.1.10, update to v1.1.10 or apply the patch from https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.