Deleted Admin Can Sign In to Admin Interface
CVE-2021-41126

7.2HIGH

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 6 October 2021

What is CVE-2021-41126?

October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update.

Affected Version(s)

october >= 2.0.0, < 2.1.12

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

https://octobercms.com/changelog

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 6, 2021
Vulnerability Reserved
Sep 15, 2021

CVE-2021-41126 Data

JSON

Octobercms

What is CVE-2021-41126?

Affected Version(s)

References

CVSS V3.1

Timeline