CVE-2021-29487
published 2021-08-26CVE-2021-29487: octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability…
PriorityP348high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EPSS
0.90%
55.0th percentile
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue has been patched in Build 472 and v1.1.5.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | system | >= 0 < 1.0.472 | 1.0.472 |
| october | system | >= 1.1.1 < 1.1.5 | 1.1.5 |
| octobercms | october | — | — |
| octobercms | october | — | — |
| octobercms | october | >= 1.0.471 < 1.0.472 | 1.0.472 |
| octobercms | october | >= 1.1.1 < 1.1.5 | 1.1.5 |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
October CMS auth bypass and account takeover
ghsa·2021-08-30·CVSS 9.1
CVE-2021-29487 [CRITICAL] CWE-287 October CMS auth bypass and account takeover
October CMS auth bypass and account takeover
### Impact
An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.
- To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
- Due to the logic of how this mechanism works, a targeted user account must be logged in while
the attacker is exploiting the vulnerability.
- Authorization via persist cookie not shown in access logs.
### Patches
- Issue has been patched in Build 472 and v1.1.5
- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
### Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b82
OSV
October CMS auth bypass and account takeover
osv·2021-08-30·CVSS 9.1
CVE-2021-29487 [CRITICAL] October CMS auth bypass and account takeover
October CMS auth bypass and account takeover
### Impact
An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.
- To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
- Due to the logic of how this mechanism works, a targeted user account must be logged in while
the attacker is exploiting the vulnerability.
- Authorization via persist cookie not shown in access logs.
### Patches
- Issue has been patched in Build 472 and v1.1.5
- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)
### Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b82
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5
2021-08-26
Published