CVE-2022-35944

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

History

18 Oct 2022, 20:32

Type Values Removed Values Added
CPE cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.2
References (CONFIRM) https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v - (CONFIRM) https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v - Third Party Advisory

14 Oct 2022, 00:31

Type Values Removed Values Added
New CVE

Information

Published : 2022-10-13 22:15

Updated : 2024-02-04 22:51


NVD link : CVE-2022-35944

Mitre link : CVE-2022-35944

CVE.ORG link : CVE-2022-35944


JSON object : View

Products Affected

octobercms

  • october
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')