CVE-2021-32648

### Impact An attacker can request an account password reset and then gain access to the account using a specially crafted request. - To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form. ### Patches - Issue has been patched in Build 472 and v1.1.5 - [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) ### Workarounds Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade. [**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here. ### Recommendations We recommend the following steps to make sure your server stays secure: - Keep server OS and system software up to date. - Keep October CMS software up to date. - Use a multi-factor authentication plugin. - Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area. - Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities. ### References Bugs found as part of Solar Security CMS Research. Credits to: • Andrey Basarygin • Andrey Guzei • Mikhail Khramenkov • Alexander Sidukov • Maxim Teplykh ### For more information If you have any questions or comments about this advisory: * Email us at [hello@octobercms.com](mailto:hello@octobercms.com)

### Impact An attacker can request an account password reset and then gain access to the account using a specially crafted request. - To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form. ### Patches - Issue has been patched in Build 472 and v1.1.5 - [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) ### Workarounds Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade. [**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here. ### Recommendations We recommend the following steps to make sure your server stays secure: - Keep server OS and system software up to date. - Keep October CMS software up to date. - Use a multi-factor authentication plugin. - Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area. - Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities. ### References Bugs found as part of Solar Security CMS Research. Credits to: • Andrey Basarygin • Andrey Guzei • Mikhail Khramenkov • Alexander Sidukov • Maxim Teplykh ### For more information If you have any questions or comments about this advisory: * Email us at [hello@octobercms.com](mailto:hello@octobercms.com)

octobercms en una plataforma CMS basada en el Framework PHP Laravel. En las versiones afectadas del paquete october/system un atacante puede solicitar el restablecimiento de la contraseña de una cuenta y luego conseguir acceso a la misma mediante una petición especialmente diseñada. El problema ha sido parcheado en la Build 472 y en la versión v1.1.5.