Account Takeover in Octobercms

CVE-2021-32648 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Impact

An attacker can request an account password reset and then gain access to the account using a specially crafted request.

  • To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.

Patches

Workarounds

Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.

[Update 2022-01-20] Shortened patch instructions can be found here.

Recommendations

We recommend the following steps to make sure your server stays secure:

  • Keep server OS and system software up to date.
  • Keep October CMS software up to date.
  • Use a multi-factor authentication plugin.
  • Change the default backend URL or block public access to the backend area.
  • Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.

References

Bugs found as part of Solar Security CMS Research. Credits to:
• Andrey Basarygin
• Andrey Guzei
• Mikhail Khramenkov
• Alexander Sidukov
• Maxim Teplykh

For more information

If you have any questions or comments about this advisory:
* Email us at [email protected]

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2021-08-30 16:13:02 UTC
Updated
2025-10-22 19:06:43 UTC
GitHub reviewed
2021-08-26 20:14:45 UTC
NVD published
2021-08-26

EPSS Score

Score Percentile
93.08% 99.79%

CVSS Scores

Base score Version Severity Vector
8.2 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
Exploit maturity (E:H)
Exploits are easy to find or already weaponized—assume people are using them.

Identifiers

Type Value
GHSA GHSA-mxr5-mc97-63rc ↗
CVE CVE-2021-32648 ↗

CWEs

CWE id Name
CWE-287 Improper Authentication

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer october/system < 1.0.472 1.0.472
composer october/system >= 1.1.1, < 1.1.5 1.1.5

References

cvelogic Threat Intelligence