October Security Vulnerabilities and Issues — October CVE List

Lucene search

OctobercmsOctober

7 matches found

CVE•added 2022/02/23 7:15 p.m.•132 views

CVE-2022-21705

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safe_mode / cm...

8.5CVSS7.2AI score0.84982EPSS

CVE•added 2022/07/12 8:15 p.m.•88 views

CVE-2022-24800

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the fromData method, an unauthenticated user can perform remote code...

8.1CVSS8.5AI score0.02925EPSS

CVE•added 2022/01/14 3:15 p.m.•66 views

CVE-2021-32650

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with access to the backend is able to execute PHP code by using the theme import feature. This will bypass the safe mode feature that prevents P...

8.8CVSS8.9AI score0.0013EPSS

CVE•added 2022/01/14 3:15 p.m.•61 views

CVE-2021-32649

October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with "create, modify and delete website pages" privileges in the backend is able to execute PHP code by running specially crafted Twig code in t...

8.8CVSS8.8AI score0.00471EPSS

CVE•added 2017/11/01 1:29 a.m.•54 views

CVE-2017-16244

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a cer...

8.8CVSS8.5AI score0.00403EPSS

CVE•added 2018/07/23 3:29 p.m.•45 views

CVE-2018-1999009

October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pa...

8.1CVSS8.2AI score0.01893EPSS

CVE•added 2017/11/25 5:29 a.m.•40 views

CVE-2017-16941

October CMS through 1.0.428 does not prevent use of .htaccess in themes, which allows remote authenticated users to execute arbitrary PHP code by downloading a theme ZIP archive from /backend/cms/themes, and then uploading and importing a modified archive with two new files: a .php file and a .htac...

8.8CVSS8.7AI score0.00508EPSS