Login Sign Up

CVE-2022-21705

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE allows authenticated users with page management permissions in OctoberCMS to bypass safe mode restrictions and execute arbitrary code through improper input sanitization. It affects admin panels relying on safe mode and restricted permissions. Attackers must first gain backend access to exploit this vulnerability.

💻 Affected Systems

Products:
  • OctoberCMS
Versions: All versions before Build 474 (v1.0.474) and v1.1.10
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using safe mode (cms.safe_mode or cms.enableSafeMode) with restricted permissions

📦 What is this software?

October by Octobercms

View all CVEs affecting October →

October by Octobercms

View all CVEs affecting October →

October by Octobercms

View all CVEs affecting October →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Authenticated attackers with page management permissions can execute arbitrary code within the CMS context, potentially gaining full control over the website.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized users abusing their legitimate permissions.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access with page creation/modification/deletion permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 474 (v1.0.474) or v1.1.10

Vendor Advisory: https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22

Restart Required: No

Instructions:

1. Update OctoberCMS to Build 474 or v1.1.10 via composer update. 2. Alternatively, manually apply commit c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation.

🔧 Temporary Workarounds

Disable page management for untrusted users

all

Remove page creation, modification, and deletion permissions from users who don't absolutely need them

Implement additional input validation

all

Add custom validation rules for all user input in page management functionality

🧯 If You Can't Patch

  • Restrict backend access to trusted IP addresses only
  • Implement strict monitoring of page management activities and review all changes

🔍 How to Verify

Check if Vulnerable:

Check OctoberCMS version via admin panel or by examining composer.json file

Check Version:

php artisan october:version

Verify Fix Applied:

Verify version is Build 474 or higher for v1.0.x, or v1.1.10 or higher for v1.1.x

📡 Detection & Monitoring

Log Indicators:

  • Unusual page creation/modification patterns
  • Suspicious PHP code in page content
  • Multiple failed login attempts followed by page management activities

Network Indicators:

  • Unusual outbound connections from CMS server
  • Requests to page management endpoints from unexpected sources

SIEM Query:

source="octobercms" AND (event="page_created" OR event="page_modified") AND user NOT IN ["trusted_users"]

📊 Metadata

CVE ID: CVE-2022-21705
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-74
Published: February 23, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21705, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)