Arbitrary Code Execution Affecting october/system package, versions >=1.0.319, <1.0.474 >=1.1.0, <1.1.10
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-OCTOBERSYSTEM-2412703
- published 24 Feb 2022
- disclosed 24 Feb 2022
- credit David Miller
Introduced: 24 Feb 2022
CVE-2022-21705 Open this link in a new tabHow to fix?
Upgrade october/system
to version 1.0.474, 1.1.10 or higher.
Overview
october/system is a System module for October CMS.
Affected versions of this package are vulnerable to Arbitrary Code Execution due to improper user input sanitization before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass cms.safe_mode
or cms.enableSafeMode
in order to execute arbitrary code.
Note:
This issue only affects admin panels that rely on safe mode and restricted permissions.
To exploit this vulnerability, an attacker must first have access to the backend area.