CVE-2021-32648

Published: Aug 26, 2021

Modified: Oct 21, 2025

PUBLISHED

CVSS v3.1

8.2

HIGH

Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

Vendor	Product	Versions
octobercms	october	affected `>= 1.0.471, < 1.0.472` affected `>= 1.1.1, < 1.1.5`

Weaknesses (CWE)

CWE-287

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc

x_refsource_CONFIRM

https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374

x_refsource_MISC

https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32648

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References