Missing server signature validation in OctoberCMS
CVE-2022-23655

4.8MEDIUM

Key Information:

Vendor: Octobercms
Status: October
Vendor: CVE Published:; 24 February 2022

What is CVE-2022-23655?

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.

Affected Version(s)

october >= 1.1.0, < 1.1.11 < 1.1.0, 1.1.11

october < 1.0.475 < 1.0.475

References

https://github.com/octobercms/october/security/advisories...

x_refsource_CONFIRM

https://github.com/octobercms/october/commit/e3b455ad5872...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Jan 19, 2022

CVE-2022-23655 Data

JSON