PT-2022-23050 · Unknown · October Cms

Cydave

Published

2022-10-13

Updated

2022-10-18

CVE-2022-35944

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions October CMS versions prior to 2.2.34 October CMS versions prior to 3.0.66

Description This issue affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. An attacker with access to the admin panel and permission to open the "Editor" section can bypass the Safe Mode (cms.safe mode) restriction to introduce new PHP code in a CMS template using a specially crafted request.

Recommendations For versions prior to 2.2.34, update to version 2.2.34 or later. For versions prior to 3.0.66, update to version 3.0.66 or later. As a temporary workaround, consider restricting access to the "Editor" section in the admin panel until a patch is applied.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2022-35944

GHSA-X4Q7-M6FP-4V9V

Affected Products

October Cms

PT-2022-23050 · Unknown · October Cms

CVE-2022-35944

Weakness Enumeration

Related Identifiers

Affected Products

References · 7