cbcvebase.
CVE-2022-21705
published 2022-02-23

CVE-2022-21705: Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An…

PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
8.68%
94.5th percentile
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.

Affected

8 ranges
VendorProductVersion rangeFixed in
octobersystem>= 0 < 1.0.4741.0.474
octobersystem>= 1.1.0 < 1.1.101.1.10
octobersystem>= 2.0.0 < 2.1.272.1.27
octobercmsoctober< 1.0.4741.0.474
octobercmsoctober
octobercmsoctober
octobercmsoctober>= 1.1.0 < 1.1.101.1.10
octobercmsoctober>= 2.0.0 < 2.1.272.1.27

Detection & IOCsextracted from sources · hover to see the quote

url/backend/backend/auth/signin
url/backend/cms
otherX-OCTOBER-REQUEST-HANDLER: onSave
otherX-OCTOBER-REQUEST-HANDLER: onCreateTemplate
otherX-OCTOBER-REQUEST-HANDLER: onOpenTemplate
commandmarkup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A
  • Detect exploitation attempts by monitoring POST requests to /backend/cms with the custom header X-OCTOBER-REQUEST-HANDLER set to onSave, containing PHP code in the markup parameter (e.g., URL-encoded <?php ... ?> payload).
  • Alert on responses containing both 'function onInit()' and 'phpinfo()' in the body alongside the safe mode warning string, which confirms successful safe mode bypass and RCE.
  • Monitor for the X-Requested-With: XMLHttpRequest header combined with X-OCTOBER-REQUEST-HANDLER headers targeting onSave, onCreateTemplate, or onOpenTemplate on the /backend/cms endpoint, as these are the specific handlers abused in the exploit chain.
  • The exploit requires an authenticated session; look for sequential POST requests to /backend/backend/auth/signin followed by /backend/cms with PHP markup injection as an attack chain indicator.
  • Flag POST bodies to /backend/cms containing 'templateType=page' and URL-encoded PHP tags (%3C%3Fphp) in the markup parameter, indicating an attempt to inject PHP code into a CMS page template.
  • ·The vulnerability only affects October CMS installations where cms.safe_mode / cms.enableSafeMode is enabled and backend access is restricted by permissions. Installations not relying on safe mode for security are not the primary target.
  • ·Exploitation requires an authenticated user with permissions to create, modify, and delete website pages — unauthenticated exploitation is not possible.
  • ·The patch is available in Build 474 (v1.0.474) and v1.1.10; the manual patch commit should be applied if upgrading is not possible.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:M/Au:S/C:C/I:C/A:C
vendor_oracle5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.