octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue has been patched in Build 472 and v1.1.5.
Published 2021-08-26 19:15:07
Updated 2022-08-02 15:49:15
Source GitHub, Inc.
View at NVD,   CVE.org
Vulnerability category: BypassGain privilege

Products affected by CVE-2021-29487

Exploit prediction scoring system (EPSS) score for CVE-2021-29487

0.13%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-29487

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
5.8
MEDIUM AV:N/AC:M/Au:N/C:P/I:P/A:N
8.6
4.9
NIST
7.4
HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
2.2
5.2
GitHub, Inc.

CWE ids for CVE-2021-29487

  • When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
    Assigned by: security-advisories@github.com (Secondary)

References for CVE-2021-29487

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!