Main Vulnerability Database Vulnerabilities #VU59615

Code Injection in October CMS - CVE-2021-32650

Published: January 14, 2022

Vulnerability identifier: #VU59615

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-32650

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
October CMS

Software vendor:
OctoberCMS

Description

The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation in the theme import feature. A remote user with access to the backend can bypass the safe mode feature that prevents PHP execution in the CMS templates and execute arbitrary PHP code on the system.

Remediation

Install updates from vendor's website.

External links

https://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4/

Code Injection in October CMS - CVE-2021-32650

Description

Remediation

External links

Please verify you're human