HIGH🚩 CISA KEV⚑ EXPLOITπŸ‡΅πŸ‡± Wersja polska

CVE-2021-32648

CVSS 8.2v3.1pub. 2021-08-26upd. 2025-10-24

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
  • Octobercms October

    APP
    Octobercms
    1.0.4711.1.1 – 1.1.5 (bez)

CISA KEV β€” detailsi

Vendori
October CMS
Producti
October CMS
Added to KEVi
January 18, 2022
Remediation deadline (US Federal)i
February 1, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.

πŸ”΄
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
⏰CISA DEADLINE: 1 lutego 2022
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2023-44382CRITICAL9.1PL βœ“ten sam produkt

October CMS β€” ucieczka z piaskownicy Twig i wykonanie arbitralnego PHP

CVE-2021-3311CRITICAL9.8ten sam produkt

An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid...

CVE-2017-1000197CRITICAL9.8ten sam produkt

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creatin...

CVE-2017-1000194CRITICAL9.8ten sam produkt

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulti...

CVE-2017-1000196CRITICAL9.8ten sam produkt

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site...

CVE-2021-32648 β€” Octobercms β€” October β€” HIGH β€” CVSS 8.2 | CVEbaza.pl