CVE-2021-41126
published 2021-10-06CVE-2021-41126: October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had…
PriorityP339high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
1.06%
60.2th percentile
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | october | >= 2.1.0 < 2.1.12 | 2.1.12 |
| october | system | >= 2.1.0 < 2.1.12 | 2.1.12 |
| octobercms | october | — | — |
| octobercms | october | >= 2.0.0 < 2.1.12 | 2.1.12 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Deleted Admin Can Sign In to Admin Interface
osv·2021-10-06
CVE-2021-41126 [HIGH] Deleted Admin Can Sign In to Admin Interface
Deleted Admin Can Sign In to Admin Interface
### Impact
Assuming an administrator once had previous access to the admin interface, they may still be able to sign in to the backend using October CMS v2.0.
### Patches
The issue has been patched in v2.1.12
### Workarounds
- Reset the password of the deleted accounts to prevent them from signing in.
- Please contact [email protected] for code change instructions if you are unable to upgrade.
### References
Credits to:
• Daniel Bidala
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
GHSA
Deleted Admin Can Sign In to Admin Interface
ghsa·2021-10-06
CVE-2021-41126 [HIGH] CWE-287 Deleted Admin Can Sign In to Admin Interface
Deleted Admin Can Sign In to Admin Interface
### Impact
Assuming an administrator once had previous access to the admin interface, they may still be able to sign in to the backend using October CMS v2.0.
### Patches
The issue has been patched in v2.1.12
### Workarounds
- Reset the password of the deleted accounts to prevent them from signing in.
- Please contact [email protected] for code change instructions if you are unable to upgrade.
### References
Credits to:
• Daniel Bidala
### For more information
If you have any questions or comments about this advisory:
* Email us at [[email protected]](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-06
Published