Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.
References
| Link | Resource |
|---|---|
| https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a | Patch Third Party Advisory |
| https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5 | Patch Third Party Advisory |
| https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a | Patch Third Party Advisory |
| https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5 | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:49
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a - Patch, Third Party Advisory | |
| References | () https://github.com/octobercms/october/security/advisories/GHSA-53m6-44rc-h2q5 - Patch, Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : 2.6
v3 : 4.8 |
Information
Published : 2022-02-24 00:15
Updated : 2024-11-21 06:49
NVD link : CVE-2022-23655
Mitre link : CVE-2022-23655
CVE.ORG link : CVE-2022-23655
JSON object : View
Products Affected
octobercms
- october
CWE
CWE-347
Improper Verification of Cryptographic Signature