CVE-2021-21265Improper Neutralization of HTTP Headers for Scripting Syntax in October

CWE-644Improper Neutralization of HTTP Headers for Scripting Syntax3 documents3 sources
Severity
7.5HIGHNVD
EPSS
0.5%
top 33.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Octobercms OctoberOctober Backend
Timeline
PublishedMar 10

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configura

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Packagistoctober/backend< 1.1.2
NVDoctobercms/october< 1.1.2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers2021-03-10
GHSA
October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers2021-03-10