Описание
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue has been patched in Build 472 and v1.1.5.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 1.0.471 (включая) до 1.0.472 (исключая)Версия от 1.1.1 (включая) до 1.1.5 (исключая)
Одно из
cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
EPSS
Процентиль: 65%
0.00503
Низкий
7.4 High
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-287
NVD-CWE-Other
Связанные уязвимости
EPSS
Процентиль: 65%
0.00503
Низкий
7.4 High
CVSS3
5.8 Medium
CVSS2
Дефекты
CWE-287
NVD-CWE-Other