CVE-2022-35944

2022-10-1322:15:10

CWE-94

[email protected]

web.nvd.nist.gov

cve-2022-35944

october cms

safe mode bypass

vulnerability

laravel php framework

content management system

nvd

patch

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.9%

JSON

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the “Editor” section, they can bypass the Safe Mode (cms.safe_mode) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.

Affected configurations

Vulners

NVD

Node

octobercmsoctoberRange3.0.0–3.0.66

octobercmsoctoberRange<2.2.34

VendorProductVersionCPE
octobercmsoctober*cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
octobercmsoctober*cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
octobercms	october	*	cpe:2.3:a:octobercms:october::::::::
octobercms	october	*	cpe:2.3:a:octobercms:october::::::::

CNA Affected

[
  {
    "vendor": "octobercms",
    "product": "october",
    "versions": [
      {
        "version": ">= 3.0.0, < 3.0.66",
        "status": "affected"
      },
      {
        "version": "< 2.2.34",
        "status": "affected"
      }
    ]
  }
]