CVE-2021-32648

high-risk
Published 2021-08-26

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

Do I need to act?

!
93.1% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.2/10 High
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Octobercms

References (7)

Patch https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3...
Patch https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3...
Patch https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc
Patch https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3...
Patch https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3...
Patch https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
62
/ 100
high-risk
Severity 28/34 · Critical
Exploitability 27/34 · High
Exposure 7/34 · Low