Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-32649

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with “create, modify and delete website pages” privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround.

CVE
#web#php#rce#auth

Authenticated file write leads to remote code execution

Package

composer october/system (Composer)

Affected versions

1.0.472, 1.1.5

Patched versions

1.0.473, 1.1.6

Description

Impact

Assuming an attacker with “create, modify and delete website pages” privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup.

Patches

Issue has been patched in Build 473 and v1.1.6

Workarounds

Apply 167b592 to your installation manually if you are unable to upgrade.

References

Credits to:
• David Miller

For more information

If you have any questions or comments about this advisory:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907