CVE-2022-23655

Name of the Vulnerable Software and Affected Versions OctoberCMS versions prior to build 474 OctoberCMS versions prior to v1.1.10 OctoberCMS version 1.0

Description The issue is related to the lack of validation of gateway server signatures in OctoberCMS, allowing non-authoritative gateway servers to be used for exfiltrating user private keys. This can lead to unauthorized access to protected information. The vulnerability affects authors of plugins and themes listed on the October CMS marketplace, where an end-user may inadvertently expose authors to potential financial loss by entering their private license key into a compromised server. A project fork of October CMS v1.0 has been disclosed to be using a compromised gateway to access the October CMS marketplace service, capturing personal and business information of users and authors, including private source code files.

Recommendations For OctoberCMS versions prior to build 474, upgrade to build 474 or apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) manually. For OctoberCMS versions prior to v1.1.10, upgrade to v1.1.10 or apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) manually. For OctoberCMS version 1.0, consider upgrading to a newer version or applying the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) manually as a temporary workaround. Do not share your license key with anyone except October CMS. Check to make sure that your gateway update server has not been modified. Be aware of phishing websites, including other platforms that use the same appearance. For authors, you may contact October CMS for help requesting the removal of affected plugins. Before providing plugin support, verify that the user holds a legitimate copy of the plugin.