CVE-2022-24800

Name of the Vulnerable Software and Affected Versions October CMS versions prior to 1.0.476 October CMS versions prior to 1.1.12 October CMS versions prior to 2.2.15

Description The issue is related to the implementation of the fromData method in the October CMS system, which allows for remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This can be done by an unauthenticated user when the developer allows the user to specify their own filename in the fromData method. The vulnerability affects plugins that expose the OctoberRainDatabaseAttachFile::fromData as a public interface, but does not affect vanilla installations of October CMS.

Recommendations For versions prior to 1.0.476, update to Build 476 (v1.0.476) or apply the patch manually as a workaround. For versions prior to 1.1.12, update to v1.1.12 or apply the patch manually as a workaround. For versions prior to 2.2.15, update to v2.2.15 or apply the patch manually as a workaround. As a temporary workaround, consider restricting access to the OctoberRainDatabaseAttachFile::fromData method to minimize the risk of exploitation.