CVE-2021-29487

Published: Aug 26, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

7.4

HIGH

Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue has been patched in Build 472 and v1.1.5.

Vendor	Product	Versions
octobercms	october	affected `>= 1.0.471, < 1.0.472` affected `>= 1.1.1, < 1.1.5`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374

x_refsource_MISC

https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9

x_refsource_MISC

https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-29487

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References