cbcvebase.
CVE-2021-32648
published 2021-08-26

CVE-2021-32648: octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password…

PriorityP196critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-01
Exploited in the wild
EPSS
90.42%
99.8th percentile
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

Affected

6 ranges
VendorProductVersion rangeFixed in
octobersystem>= 0 < 1.0.4721.0.472
octobersystem>= 1.1.1 < 1.1.51.1.5
octobercmsoctober
octobercmsoctober
octobercmsoctober
octobercmsoctober>= 1.1.1 < 1.1.51.1.5

Detection & IOCsextracted from sources · hover to see the quote

url/backend/backend/auth/restore
url/backend/backend/auth/reset/1/
cookieoctober_session=; admin_auth=
commandPOST /backend/backend/auth/reset/1/{{reset_token}} HTTP/1.1 Content-Type: application/json {"_token":"{{csrf_token}}","postback":1,"id":1,"code":true,"password":"{{password}}"}
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1;)
  • Exploit step 1 (trigger_reset): Look for HTTP POST to /backend/backend/auth/restore with body containing _token=, &postback=1, and &login=admin — this initiates the password reset for the admin account.
  • Exploit step 2 (set_password): Look for HTTP POST to /backend/backend/auth/reset/1/ with a JSON body containing "code":true — the boolean true value is the exploit payload that bypasses the reset code check.
  • Successful exploitation results in an HTTP 302 redirect response to the password reset endpoint, followed by a successful login producing Set-Cookie headers for both october_session and admin_auth.
  • The vulnerability is in Auth/Models/User.php (checkResetPasswordCode function, line 281) where == is used instead of === for reset code comparison, allowing boolean true to match any string.
  • Palo Alto Networks Threat Prevention Threat ID 92199 covers detection of this vulnerability for NGFW customers.
  • Shodan query http.component:"october cms" can be used to identify internet-facing OctoberCMS instances potentially vulnerable to this CVE.
  • ·The vulnerability is only exploitable when the server is running PHP below version 7.4, because PHP 7.4+ enforces stricter type handling that prevents the boolean true bypass.
  • ·The exploit targets account ID 1 (the default admin account) in the reset URL path /backend/backend/auth/reset/1/; installations where the admin account has a different ID may require a modified exploit path.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vulncheck8.2HIGH
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.