octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NOctobercms October
APPOctobercms1.0.4711.1.1 – 1.1.5 (bez)
CISA KEV — detailsi
- Vendori
- October CMS
- Producti
- October CMS
- Added to KEVi
- January 18, 2022
- Remediation deadline (US Federal)i
- February 1, 2022(overdue)
Apply updates per vendor instructions.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
Related vulnerabilities
October CMS — ucieczka z piaskownicy Twig i wykonanie arbitralnego PHP
An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid...
October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creatin...
October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulti...
October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site...