Back to KEVs

CVE-2021-32648

Account Takeover in Octobercms

Basic Information

CVE State
PUBLISHED
Reserved Date
May 12, 2021
Published Date
August 26, 2021
Last Updated
February 06, 2025
Vendor
octobercms
Product
october
Description
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

CVSS Scores

CVSS v3.1

8.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2022-01-18 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2022-01-14 15:50:11 UTC) Source

References

https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9

Known Exploited Vulnerability Information

Source Added Date
CISA 2022-01-18 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

Immersive-Labs-Sec/CVE-2021-32648

Type: github • Created: 2022-01-14 15:50:11 UTC • Stars: 12

Proof Of Concept code for OctoberCMS Auth Bypass CVE-2021-32648