CVE-2022-21705
HIGH7.2EPSS 70.3%Authenticated remote code execution in October CMS
Description
### Impact An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. - This issue only affects admin panels that rely on safe mode and restricted permissions. - To exploit this vulnerability, an attacker must first have access to the backend area. ### Patches The issue has been patched in Build 474 (v1.0.474) and v1.1.10. ### Workarounds Apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10. ### References Credits to: - David Miller ### For more information If you have any questions or comments about this advisory: - Email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- Packagist/october/systemfrom 0, < 1.0.474
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |