CVE-2021-41126

October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update.

CVSS v3 7.2 HIGH
CVSS v2.0 6.5 MEDIUM

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7	Third Party Advisory
https://octobercms.com/changelog	Release Notes Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

History

14 Oct 2021, 16:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:octobercms:october::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~7.2~~	v2 : 6.5 v3 : 7.2
References	~~(MISC) https://octobercms.com/changelog -~~	(MISC) https://octobercms.com/changelog - Release Notes, Vendor Advisory
References	~~(CONFIRM) https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7 -~~	(CONFIRM) https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7 - Third Party Advisory

06 Oct 2021, 18:39

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-10-06 18:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-41126

Mitre link : CVE-2021-41126

CVE.ORG link : CVE-2021-41126

JSON object : View

Products Affected

octobercms

october

CWE

CWE-287

Improper Authentication

{"id": "CVE-2021-41126", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2021-10-06T18:15:11.013", "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://octobercms.com/changelog", "tags": ["Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update."}, {"lang": "es", "value": "October es un Sistema de Administraci\u00f3n de Contenidos (CMS) y una plataforma web construida sobre el framework PHP Laravel. En las versiones afectadas, las cuentas de administrador que hab\u00edan sido eliminadas previamente pueden seguir siendo capaces de iniciar sesi\u00f3n en el backend usando October CMS versi\u00f3n v2.0. El problema ha sido parcheado en la versi\u00f3n 2.1.12 del paquete october/october. No se presentan soluciones para este problema y todos los usuarios deben actualizar"}], "lastModified": "2021-10-14T16:43:37.783", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2CAD7006-27C1-493F-A50B-2508EDFD0793", "versionEndExcluding": "2.1.12", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}