Vulnerability Description
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octobercms | October | < 2.2.34 |
Related Weaknesses (CWE)
References
- https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9vThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9vThird Party Advisory
FAQ
What is CVE-2022-35944?
CVE-2022-35944 is a vulnerability with a CVSS score of 6.2 (MEDIUM). October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly use...
How severe is CVE-2022-35944?
CVE-2022-35944 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-35944?
Check the references section above for vendor advisories and patch information. Affected products include: Octobercms October.