CVE-2021-41126 - OpenCVE

October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Octobercms	October

Configuration 1 [-]

cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7
https://octobercms.com/changelog

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-06T17:25:13

Updated: 2024-08-04T02:59:31.618Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41126

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-06T18:15:11.013

Modified: 2021-10-14T16:43:37.783

Link: CVE-2021-41126

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "october", "vendor": "octobercms", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.1.12"}]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-06T17:25:13", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7"}, {"tags": ["x_refsource_MISC"], "url": "https://octobercms.com/changelog"}], "source": {"advisory": "GHSA-6gjf-7w99-j7x7", "discovery": "UNKNOWN"}, "title": "Deleted Admin Can Sign In to Admin Interface", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41126", "STATE": "PUBLIC", "TITLE": "Deleted Admin Can Sign In to Admin Interface"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "october", "version": {"version_data": [{"version_value": ">= 2.0.0, < 2.1.12"}]}}]}, "vendor_name": "octobercms"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7", "refsource": "CONFIRM", "url": "https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7"}, {"name": "https://octobercms.com/changelog", "refsource": "MISC", "url": "https://octobercms.com/changelog"}]}, "source": {"advisory": "GHSA-6gjf-7w99-j7x7", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.618Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://octobercms.com/changelog"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41126", "datePublished": "2021-10-06T17:25:13", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.618Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CAD7006-27C1-493F-A50B-2508EDFD0793", "versionEndExcluding": "2.1.12", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update."}, {"lang": "es", "value": "October es un Sistema de Administraci\u00f3n de Contenidos (CMS) y una plataforma web construida sobre el framework PHP Laravel. En las versiones afectadas, las cuentas de administrador que hab\u00edan sido eliminadas previamente pueden seguir siendo capaces de iniciar sesi\u00f3n en el backend usando October CMS versi\u00f3n v2.0. El problema ha sido parcheado en la versi\u00f3n 2.1.12 del paquete october/october. No se presentan soluciones para este problema y todos los usuarios deben actualizar"}], "id": "CVE-2021-41126", "lastModified": "2021-10-14T16:43:37.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-10-06T18:15:11.013", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://octobercms.com/changelog"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}