Vulnerability Description
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octobercms | October | < 1.0.476 |
Related Weaknesses (CWE)
References
- https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae02835061PatchThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jpPatchThird Party Advisory
- https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae02835061PatchThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jpPatchThird Party Advisory
FAQ
What is CVE-2022-24800?
CVE-2022-24800 is a vulnerability with a CVSS score of 8.1 (HIGH). October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to...
How severe is CVE-2022-24800?
CVE-2022-24800 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24800?
Check the references section above for vendor advisories and patch information. Affected products include: Octobercms October.