CVE-2021-29487 — Improper Authentication in October

CWE-287 — Improper Authentication3 documents3 sources

Severity

7.4HIGHNVD

GHSA9.1OSV9.1

EPSS

0.5%

top 33.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October System

Timeline

PublishedAug 26

Latest updateAug 30

Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages3 packages

▶Packagistoctober/system1.1.1 — 1.1.5+1

▶NVDoctobercms/october1.0.471 — 1.0.472+1

▶CVEListV5octobercms/october>= 1.0.471, < 1.0.472, >= 1.1.1, < 1.1.5+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

October CMS auth bypass and account takeover↗2021-08-30

▶

OSV

October CMS auth bypass and account takeover↗2021-08-30

▶