CVE Vulnerability

CVE-2021-21265

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 Patch Third Party Advisory
https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 Patch Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp Patch Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*
Information

Published : 2021-03-10 10:15

Updated : 2021-03-18 04:48

NVD link : CVE-2021-21265

Mitre link : CVE-2021-21265

Products Affected
No products.
CWE
CWE-644

Improper Neutralization of HTTP Headers for Scripting Syntax