CVE-2022-24800 — Race Condition in October

CWE-362 — Race Condition3 documents3 sources

Severity

8.1HIGHNVD

EPSS

2.9%

top 13.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Octobercms October October System

Timeline

PublishedJul 12

Latest updateJul 13

Description

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interf…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶Packagistoctober/system1.1.0 — 1.1.12+2

▶NVDoctobercms/october1.1.0 — 1.1.12+2

▶CVEListV5octobercms/october>= 1.1.0, < 1.1.12, >= 2.0.0, < 2.2.15+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

October CMS upload process vulnerable to RCE via Race Condition↗2022-07-13

▶

OSV

October CMS upload process vulnerable to RCE via Race Condition↗2022-07-13

▶