CVE-2022-23655

Опубликовано: 24 фев. 2022

Источник: nvd

CVSS3: 4.8

CVSS3: 5.3

CVSS2: 2.6

EPSS Низкий

Описание

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.

Ссылки

https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
Patch
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
Patch
Third Party Advisory
https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a
Patch
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

Версия до 1.0.475 (исключая)

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

Версия от 1.1.0 (включая) до 1.1.11 (исключая)

EPSS

Процентиль: 35%

0.00142

Низкий

4.8 Medium

CVSS3

5.3 Medium

CVSS3

2.6 Low

CVSS2

Дефекты

CWE-347

Связанные уязвимости

GHSA-53m6-44rc-h2q5

CVSS3: 4.8

github

почти 4 года назад

Missing server signature validation in OctoberCMS

BDU:2022-01033

CVSS3: 4.8

fstec

почти 4 года назад

Уязвимость CMS-системы October CMS, связанная с некорректной проверкой криптографической подписи, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 35%

0.00142

Низкий

4.8 Medium

CVSS3

5.3 Medium

CVSS3

2.6 Low

CVSS2

Дефекты

CWE-347