SB2021082616 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 2 vulnerabilities.

1) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2021-32648)

CWE-ID: CWE-640 - Weak password recovery mechanism

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a weak password recovery mechanism. A remote attacker can send a specially crafted request to the web application, reset password for an arbitrary account and gain unauthorized access to the application.

2) Improper Authentication (CVE-ID: CVE-2021-29487)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass authentication process and impersonate another user.

The vulnerability exists due to an error when handling authorization via persist cookies. A remote attacker can impersonate another application user and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires knowledge of the Laravel’s secret key for cookie encryption and signing, and that a targeted user account is logged in during vulnerability exploitation.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc/
• https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5/