CVE-2022-35944
Last modified
CVE-2022-35944 is a high-severity vulnerability rated 7.2/10 on the CVSS scale. October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. EPSS estimates a 0.86% chance of exploitation in the next 30 days.
Description
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Octobercms | October | < 2.2.34 |
| Octobercms | October | >= 3.0.00, < 3.0.66 |
References
- https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9vThird Party Advisory
- https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9vThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-35944?
How severe is CVE-2022-35944?
How do I fix CVE-2022-35944?
Are you affected by CVE-2022-35944?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST