CVE-2022-21705

Description

### Impact An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. - This issue only affects admin panels that rely on safe mode and restricted permissions. - To exploit this vulnerability, an attacker must first have access to the backend area. ### Patches The issue has been patched in Build 474 (v1.0.474) and v1.1.10. ### Workarounds Apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually if unable to upgrade to Build 474 or v1.1.10. ### References Credits to: - David Miller ### For more information If you have any questions or comments about this advisory: - Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2022-21705

To remediate CVE-2022-21705, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.474 or later

Is CVE-2022-21705 being exploited?

Likely — EPSS is 70.3%, placing CVE-2022-21705 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

• from 0, < 1.0.474

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-21705
• WEBgithub.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe
• WEBgithub.com/octobercms/october
• WEBgithub.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22