CVE-2022-24800
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the fromData method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the October\Rain\Database\Attach\File::fromData as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| octobercms | october | < 1.0.476 | affected |
| octobercms | october | >= 1.1.0, < 1.1.12 | affected |
| octobercms | october | >= 2.0.0, < 2.2.15 | affected |
Weaknesses
- CWE-362: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp
- https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp
- https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.