Multiple vulnerabilities in October CMS
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-32649 CVE-2021-32650 |
| CWE-ID | CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
October CMS Web applications / CMS |
| Vendor | OctoberCMS |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU59616
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-32649
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary PHP code on the target system.
The vulnerability exists due to improper input validation. A remote user with "create, modify and delete website pages" privileges can execute PHP code by running specially crafted Twig code in the template markup.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.1.5
External linkshttp://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Code Injection
EUVDB-ID: #VU59615
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-32650
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary PHP code on the target system.
The vulnerability exists due to improper input validation in the theme import feature. A remote user with access to the backend can bypass the safe mode feature that prevents PHP execution in the CMS templates and execute arbitrary PHP code on the system.
Install updates from vendor's website.
Vulnerable software versionsOctober CMS: 1.0.319 - 1.1.5
External linkshttp://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
