Arbitrary Code Execution Affecting october/system package, versions <1.0.473 >=1.1.0, <1.1.6
Snyk CVSS
Attack Complexity
High
Privileges Required
High
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.14% (50th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-OCTOBERSYSTEM-2342080
- published 16 Jan 2022
- disclosed 16 Jan 2022
- credit sushiwushi
Introduced: 16 Jan 2022
CVE-2021-32650 Open this link in a new tabHow to fix?
Upgrade october/system
to version 1.0.473, 1.1.6 or higher.
Overview
october/system is a System module for October CMS.
Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker with access to the backend is able to execute PHP code by using the theme import feature, which bypasses the safe mode feature that prevents PHP execution in the CMS templates.