CVE-2022-21705
published 2022-02-23CVE-2022-21705: Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An…
PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
8.68%
94.5th percentile
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| october | system | >= 0 < 1.0.474 | 1.0.474 |
| october | system | >= 1.1.0 < 1.1.10 | 1.1.10 |
| october | system | >= 2.0.0 < 2.1.27 | 2.1.27 |
| octobercms | october | < 1.0.474 | 1.0.474 |
| octobercms | october | — | — |
| octobercms | october | — | — |
| octobercms | october | >= 1.1.0 < 1.1.10 | 1.1.10 |
| octobercms | october | >= 2.0.0 < 2.1.27 | 2.1.27 |
Detection & IOCsextracted from sources · hover to see the quote
commandmarkup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A↗
- →Detect exploitation attempts by monitoring POST requests to /backend/cms with the custom header X-OCTOBER-REQUEST-HANDLER set to onSave, containing PHP code in the markup parameter (e.g., URL-encoded <?php ... ?> payload). ↗
- →Alert on responses containing both 'function onInit()' and 'phpinfo()' in the body alongside the safe mode warning string, which confirms successful safe mode bypass and RCE. ↗
- →Monitor for the X-Requested-With: XMLHttpRequest header combined with X-OCTOBER-REQUEST-HANDLER headers targeting onSave, onCreateTemplate, or onOpenTemplate on the /backend/cms endpoint, as these are the specific handlers abused in the exploit chain. ↗
- →The exploit requires an authenticated session; look for sequential POST requests to /backend/backend/auth/signin followed by /backend/cms with PHP markup injection as an attack chain indicator. ↗
- →Flag POST bodies to /backend/cms containing 'templateType=page' and URL-encoded PHP tags (%3C%3Fphp) in the markup parameter, indicating an attempt to inject PHP code into a CMS page template. ↗
- ·The vulnerability only affects October CMS installations where cms.safe_mode / cms.enableSafeMode is enabled and backend access is restricted by permissions. Installations not relying on safe mode for security are not the primary target. ↗
- ·Exploitation requires an authenticated user with permissions to create, modify, and delete website pages — unauthenticated exploitation is not possible. ↗
- ·The patch is available in Build 474 (v1.0.474) and v1.1.10; the manual patch commit should be applied if upgrading is not possible. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vendor_oracle5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Authenticated remote code execution in October CMS
osv·2022-02-23
CVE-2022-21705 [HIGH] Authenticated remote code execution in October CMS
Authenticated remote code execution in October CMS
### Impact
An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code.
- This issue only affects admin panels that rely on safe mode and restricted permissions.
- To exploit this vulnerability, an attacker must first have access to the backend area.
### Patches
The issue has been patched in Build 474 (v1.0.474) and v1.1.10.
### Workarounds
Apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10.
### References
Credits to:
- David Miller
### For more information
If you have any que
GHSA
Authenticated remote code execution in October CMS
ghsa·2022-02-23
CVE-2022-21705 [HIGH] CWE-74 Authenticated remote code execution in October CMS
Authenticated remote code execution in October CMS
### Impact
An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code.
- This issue only affects admin panels that rely on safe mode and restricted permissions.
- To exploit this vulnerability, an attacker must first have access to the backend area.
### Patches
The issue has been patched in Build 474 (v1.0.474) and v1.1.10.
### Workarounds
Apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10.
### References
Credits to:
- David Miller
### For more information
If you have any que
Oracle
Oracle Oracle Communications Risk Matrix: Management (PHP) — CVE-2021-21705
vendor_oracle·2022-01-15·CVSS 5.3
CVE-2021-21705 [MEDIUM] Oracle Oracle Communications Risk Matrix: Management (PHP) — CVE-2021-21705
Oracle Oracle Communications Risk Matrix: Management (PHP) vulnerability
CVE: CVE-2021-21705
CVSS: 5.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2022 (JAN 2022)
No detection rules found.
Nuclei
October CMS - Remote Code Execution
nuclei·CVSS 7.2
CVE-2022-21705 [HIGH] October CMS - Remote Code Execution
October CMS - Remote Code Execution
October CMS is susceptible to remote code execution. In affected versions, user input is not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can bypass cms.safe_mode and cms.enableSafeMode in order to execute arbitrary code. This affects admin panels that rely on safe mode and restricted permissions.
Template:
id: CVE-2022-21705
info:
name: October CMS - Remote Code Execution
author: iPhantasmic
severity: high
description: |
October CMS is susceptible to remote code execution. In affected versions, user input is not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can bypass cms.safe_mode and cms.enabl
No writeups or analysis indexed.
https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fehttps://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fehttps://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22
2022-02-23
Published