Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-32650

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates.The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.

CVE
Open in Source
#php

Arbitrary code execution

Package

composer october/system (Composer)

Affected versions

1.0.472, 1.1.5

Patched versions

1.0.473, 1.1.6

Description

Impact

Assuming an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents PHP execution in the CMS templates.

Patches

Issue has been patched in Build 473 and v1.1.6

Workarounds

Apply 167b592 to your installation manually if you are unable to upgrade.

References

Credits to:
• Sushi Yushi

For more information

If you have any questions or comments about this advisory:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE