CVE-2022-35944 – October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution)
https://notcve.org/view.php?id=CVE-2022-35944
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66. October es una plataforma de Sistema de Administración de Contenidos (CMS) auto alojada basada en el Framework PHP Laravel. • https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2022-24800 – Race Condition in October CMS upload process
https://notcve.org/view.php?id=CVE-2022-24800
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround. • https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83 https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2022-21705 – Authenticated remote code execution in octobercms
https://notcve.org/view.php?id=CVE-2022-21705
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. • https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2021-41126 – Deleted Admin Can Sign In to Admin Interface
https://notcve.org/view.php?id=CVE-2021-41126
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update. October es un Sistema de Administración de Contenidos (CMS) y una plataforma web construida sobre el framework PHP Laravel. • https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7 https://octobercms.com/changelog • CWE-287: Improper Authentication •