7.5

CVE-2021-21265

October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OctobercmsOctober Version < 1.1.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.51% 0.712
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
security-advisories@github.com 6.8 2.2 4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax

The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.

https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
Patch
Third Party Advisory
https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
Patch
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp
Patch
Third Party Advisory
https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d
https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30
https://packagist.org/packages/october/backend