#VU65127 Race condition in October CMS - CVE-2022-24800

Cybersecurity Help s.r.o.

Published: 2022-07-12

Vulnerability identifier: #VU65127

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-24800

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
October CMS
Web applications / CMS

Vendor: OctoberCMS

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a race condition when processing uploaded filenames passed via the fromData method. A remote attacker can upload and execute arbitrary files on the system.

The vulnerability affects installations of OctoberCMS with plugins that expose the October\Rain\Database\Attach\File::fromData as a public interface.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.0.319 - 1.0.475, 1.1.0 - 1.1.11, 2.0.0 - 2.0.29, 2.1.0 - 2.1.29, 2.2.0 - 2.2.14

External links
https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Remote code execution in October CMS