GHSA-79JW-2F46-WV22

Vulnerability from github – Published: 2022-02-23 21:08 – Updated: 2022-02-25 15:37
VLAI
Summary
Authenticated remote code execution in October CMS
Details

Impact

An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safe_mode / cms.enableSafeMode in order to execute arbitrary code.

  • This issue only affects admin panels that rely on safe mode and restricted permissions.
  • To exploit this vulnerability, an attacker must first have access to the backend area.

Patches

The issue has been patched in Build 474 (v1.0.474) and v1.1.10.

Workarounds

Apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10.

References

Credits to: - David Miller

For more information

If you have any questions or comments about this advisory: - Email us at hello@octobercms.com

Severity
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.474"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.27"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-23T21:08:44Z",
    "nvd_published_at": "2022-02-23T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass  `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code.\n\n- This issue only affects admin panels that rely on safe mode and restricted permissions.\n- To exploit this vulnerability, an attacker must first have access to the backend area.\n\n### Patches\n\nThe issue has been patched in Build 474 (v1.0.474) and v1.1.10.\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10.\n\n### References\n\nCredits to:\n- David Miller\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n- Email us at [hello@octobercms.com](mailto:hello@octobercms.com)",
  "id": "GHSA-79jw-2f46-wv22",
  "modified": "2022-02-25T15:37:37Z",
  "published": "2022-02-23T21:08:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21705"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authenticated remote code execution in October CMS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.