QwikSec

Security Database

CVE

CWE

Training

CVE-2021-21265

Published: Mar 10, 2021

Modified: May 29, 2025

PUBLISHED

CVSS v3.1

6.8

MEDIUM

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

Vendor	Product	Versions
octobercms	october	affected `< 1.1.2`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp

x_refsource_CONFIRM

https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d

x_refsource_MISC

https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6

x_refsource_MISC

https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30

x_refsource_MISC

https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0

x_refsource_MISC

https://packagist.org/packages/october/backend

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.