Code Injection in October CMS - CVE-2021-32650

 

Code Injection in October CMS - CVE-2021-32650

Published: January 14, 2022


Vulnerability identifier: #VU59615
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32650
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OctoberCMS
Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation in the theme import feature. A remote user with access to the backend can bypass the safe mode feature that prevents PHP execution in the CMS templates and execute arbitrary PHP code on the system.



How to mitigate CVE-2021-32650

Install updates from vendor's website.

Sources