Vulnerability Description
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octobercms | October | < 1.0.475 |
Related Weaknesses (CWE)
References
- https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000cPatchThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5PatchThird Party Advisory
- https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000cPatchThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5PatchThird Party Advisory
FAQ
What is CVE-2022-23655?
CVE-2022-23655 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers m...
How severe is CVE-2022-23655?
CVE-2022-23655 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23655?
Check the references section above for vendor advisories and patch information. Affected products include: Octobercms October.