#VU59615 Code Injection

Published: 2022-01-14

Vulnerability identifier: #VU59615

Vulnerability risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-32650


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
October CMS
Web applications / CMS

Vendor: OctoberCMS


The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation in the theme import feature. A remote user with access to the backend can bypass the safe mode feature that prevents PHP execution in the CMS templates and execute arbitrary PHP code on the system.

Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.1.5


External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability