Описание
Deleted Admin Can Sign In to Admin Interface
Impact
Assuming an administrator once had previous access to the admin interface, they may still be able to sign in to the backend using October CMS v2.0.
Patches
The issue has been patched in v2.1.12
Workarounds
-
Reset the password of the deleted accounts to prevent them from signing in.
-
Please contact hello@octobercms.com for code change instructions if you are unable to upgrade.
References
Credits to: • Daniel Bidala
For more information
If you have any questions or comments about this advisory:
- Email us at hello@octobercms.com
Пакеты
october/october
>= 2.1.0, < 2.1.12
2.1.12
october/system
>= 2.1.0, < 2.1.12
2.1.12
Связанные уязвимости
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update.