Vulnerability Description
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octobercms | October | < 1.0.474 |
Related Weaknesses (CWE)
References
- https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61PatchThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22Issue TrackingPatchThird Party Advisory
- https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61PatchThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2022-21705?
CVE-2022-21705 is a vulnerability with a CVSS score of 7.2 (HIGH). Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to ...
How severe is CVE-2022-21705?
CVE-2022-21705 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-21705?
Check the references section above for vendor advisories and patch information. Affected products include: Octobercms October.