SB2021082616 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2021-32648)

The vulnerability allows a remote attacker to compromise the affected application.

The vulnerability exists due to a weak password recovery mechanism. A remote attacker can send a specially crafted request to the web application, reset password for an arbitrary account and gain unauthorized access to the application.

2) Improper Authentication (CVE-ID: CVE-2021-29487)

The vulnerability allows a remote attacker to bypass authentication process and impersonate another user.

The vulnerability exists due to an error when handling authorization via persist cookies. A remote attacker can impersonate another application user and gain unauthorized access to the application.

Successful exploitation of the vulnerability requires knowledge of the Laravel’s secret key for cookie encryption and signing, and that a targeted user account is logged in during vulnerability exploitation.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc/
• https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5/