Authorization bypass in October CMS
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-41126 |
| CWE-ID | CWE-285 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
October CMS Web applications / CMS |
| Vendor | OctoberCMS |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper Authorization
EUVDB-ID: #VU57098
Risk: Medium
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-41126
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the affected application.
The vulnerability exists due to improper authorization. An attacker who previously had an administrative account with access to the admin interface is able to sign in to the backend using October CMS v2.0 even after the account has been deleted.
Install updates from vendor's website.
Vulnerable software versionsOctober CMS: 2.1.11
External linkshttp://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
