cvelistv5 - CVE-2021-32648

CVE-2021-32648 (GCVE-0-2021-32648)

Vulnerability from cvelistv5

Published

2021-08-26 19:00

Modified

2025-10-21 23:25

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-287 - Improper Authentication

Summary

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

References

URL

	Vendor	Product	Version
	octobercms	october	Version: >= 1.0.471, < 1.0.472 Version: >= 1.1.1, < 1.1.5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

Date added: 2022-01-18

Due date: 2022-02-01

Required action: Apply updates per vendor instructions.

Used in ransomware: Unknown

Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-32648

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:25:30.919Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32648",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T19:37:19.296739Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-01-18",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:25:36.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-01-18T00:00:00+00:00",
            "value": "CVE-2021-32648 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "october",
          "vendor": "octobercms",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.471, \u003c 1.0.472"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.1.1, \u003c 1.1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287: Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-26T19:00:12.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
        }
      ],
      "source": {
        "advisory": "GHSA-mxr5-mc97-63rc",
        "discovery": "UNKNOWN"
      },
      "title": "Account Takeover in Octobercms",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32648",
          "STATE": "PUBLIC",
          "TITLE": "Account Takeover in Octobercms"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "october",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.0.471, \u003c 1.0.472"
                          },
                          {
                            "version_value": "\u003e= 1.1.1, \u003c 1.1.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "octobercms"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287: Improper Authentication"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc",
              "refsource": "CONFIRM",
              "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
            },
            {
              "name": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374",
              "refsource": "MISC",
              "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
            },
            {
              "name": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9",
              "refsource": "MISC",
              "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mxr5-mc97-63rc",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32648",
    "datePublished": "2021-08-26T19:00:12.000Z",
    "dateReserved": "2021-05-12T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:25:36.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2021-32648",
      "cwes": "[\"CWE-287\"]",
      "dateAdded": "2022-01-18",
      "dueDate": "2022-02-01",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2021-32648",
      "product": "October CMS",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.",
      "vendorProject": "October CMS",
      "vulnerabilityName": "October CMS Improper Authentication"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-32648\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-08-26T19:15:07.230\",\"lastModified\":\"2025-10-24T14:47:44.400\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.\"},{\"lang\":\"es\",\"value\":\"octobercms en una plataforma CMS basada en el Framework PHP Laravel. En las versiones afectadas del paquete october/system un atacante puede solicitar el restablecimiento de la contrase\u00f1a de una cuenta y luego conseguir acceso a la misma mediante una petici\u00f3n especialmente dise\u00f1ada. El problema ha sido parcheado en la Build 472 y en la versi\u00f3n v1.1.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-01-18\",\"cisaActionDue\":\"2022-02-01\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"October CMS Improper Authentication\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.1\",\"versionEndExcluding\":\"1.1.5\",\"matchCriteriaId\":\"2E79163B-046D-4BA9-82C9-70AB3A000D69\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octobercms:october:1.0.471:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C626BDE-022E-4AEE-A189-6AB7EBEDD80F\"}]}]}],\"references\":[{\"url\":\"https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T23:25:30.919Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-32648\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T19:37:19.296739Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-01-18\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-01-18T00:00:00+00:00\", \"value\": \"CVE-2021-32648 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T19:37:22.585Z\"}}], \"cna\": {\"title\": \"Account Takeover in Octobercms\", \"source\": {\"advisory\": \"GHSA-mxr5-mc97-63rc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"octobercms\", \"product\": \"october\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.0.471, \u003c 1.0.472\"}, {\"status\": \"affected\", \"version\": \"\u003e= 1.1.1, \u003c 1.1.5\"}]}], \"references\": [{\"url\": \"https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-287\", \"description\": \"CWE-287: Improper Authentication\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2021-08-26T19:00:12.000Z\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, \"source\": {\"advisory\": \"GHSA-mxr5-mc97-63rc\", \"discovery\": \"UNKNOWN\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"\u003e= 1.0.471, \u003c 1.0.472\"}, {\"version_value\": \"\u003e= 1.1.1, \u003c 1.1.5\"}]}, \"product_name\": \"october\"}]}, \"vendor_name\": \"octobercms\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc\", \"name\": \"https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc\", \"refsource\": \"CONFIRM\"}, {\"url\": \"https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374\", \"name\": \"https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374\", \"refsource\": \"MISC\"}, {\"url\": \"https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9\", \"name\": \"https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9\", \"refsource\": \"MISC\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-287: Improper Authentication\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2021-32648\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Account Takeover in Octobercms\", \"ASSIGNER\": \"security-advisories@github.com\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-32648\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:25:36.099Z\", \"dateReserved\": \"2021-05-12T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2021-08-26T19:00:12.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2021-32648

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2021-32648

Aliases

CVE-2021-32648

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32648",
    "description": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.",
    "id": "GSD-2021-32648"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32648"
      ],
      "details": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.",
      "id": "GSD-2021-32648",
      "modified": "2023-12-13T01:23:08.824959Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cisa.gov": {
      "cveID": "CVE-2021-32648",
      "dateAdded": "2022-01-18",
      "dueDate": "2022-02-01",
      "product": "October CMS",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.",
      "vendorProject": "October CMS",
      "vulnerabilityName": "October CMS Improper Authentication"
    },
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32648",
        "STATE": "PUBLIC",
        "TITLE": "Account Takeover in Octobercms"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "october",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 1.0.471, \u003c 1.0.472"
                        },
                        {
                          "version_value": "\u003e= 1.1.1, \u003c 1.1.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "octobercms"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-287: Improper Authentication"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc",
            "refsource": "CONFIRM",
            "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
          },
          {
            "name": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374",
            "refsource": "MISC",
            "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
          },
          {
            "name": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9",
            "refsource": "MISC",
            "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-mxr5-mc97-63rc",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.0.471,\u003c1.0.472||\u003e=1.1.1,\u003c1.1.5",
          "affected_versions": "All versions starting from 1.0.471 before 1.0.472, all versions starting from 1.1.1 before 1.1.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-07-07",
          "description": "octobercms in a CMS platform based on the Laravel PHP Framework. An attacker can request an account password reset and then gain access to the account using a specially crafted request.",
          "fixed_versions": [
            "1.0.472",
            "1.1.5"
          ],
          "identifier": "CVE-2021-32648",
          "identifiers": [
            "CVE-2021-32648",
            "GHSA-mxr5-mc97-63rc"
          ],
          "not_impacted": "All versions before 1.0.471, all versions starting from 1.0.472 before 1.1.1, all versions starting from 1.1.5",
          "package_slug": "packagist/october/october",
          "pubdate": "2021-08-26",
          "solution": "Upgrade to versions 1.0.472, 1.1.5 or above.",
          "title": "Weak Password Recovery Mechanism for Forgotten Password",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32648"
          ],
          "uuid": "e725cbf0-1903-4cbb-92e1-eef61e61f3df"
        },
        {
          "affected_range": "\u003c1.0.472||\u003e=1.1.1,\u003c1.1.5",
          "affected_versions": "All versions before 1.0.472, all versions starting from 1.1.1 before 1.1.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-640",
            "CWE-937"
          ],
          "date": "2021-10-21",
          "description": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.",
          "fixed_versions": [
            "1.0.472",
            "1.1.5"
          ],
          "identifier": "CVE-2021-32648",
          "identifiers": [
            "GHSA-mxr5-mc97-63rc",
            "CVE-2021-32648"
          ],
          "not_impacted": "All versions starting from 1.0.472 before 1.1.1, all versions starting from 1.1.5",
          "package_slug": "packagist/october/system",
          "pubdate": "2021-08-30",
          "solution": "Upgrade to versions 1.0.472, 1.1.5 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc",
            "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374",
            "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32648",
            "https://github.com/advisories/GHSA-mxr5-mc97-63rc"
          ],
          "uuid": "978c29dd-ced3-49c3-a571-6b56e6266fc7"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.1.5",
                "versionStartIncluding": "1.1.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.0.472",
                "versionStartIncluding": "1.0.471",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32648"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
            },
            {
              "name": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
            },
            {
              "name": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2023-07-07T19:27Z",
      "publishedDate": "2021-08-26T19:15Z"
    }
  }
}

ghsa-mxr5-mc97-63rc

Vulnerability from github

Published

2021-08-30 16:13

Modified

2025-10-22 19:06

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H

Summary

Account Takeover in Octobercms

Details

Impact

An attacker can request an account password reset and then gain access to the account using a specially crafted request.

To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.

Patches

Issue has been patched in Build 472 and v1.1.5
Shortened patch instructions

Workarounds

Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.

[Update 2022-01-20] Shortened patch instructions can be found here.

Recommendations

We recommend the following steps to make sure your server stays secure:

Keep server OS and system software up to date.
Keep October CMS software up to date.
Use a multi-factor authentication plugin.
Change the default backend URL or block public access to the backend area.
Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.

References

Bugs found as part of Solar Security CMS Research. Credits to: • Andrey Basarygin • Andrey Guzei • Mikhail Khramenkov • Alexander Sidukov • Maxim Teplykh

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.472"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/system"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.1"
            },
            {
              "fixed": "1.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-26T20:14:45Z",
    "nvd_published_at": "2021-08-26T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn attacker can request an account password reset and then gain access to the account using a specially crafted request.\n\n- To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form.\n\n### Patches\n\n- Issue has been patched in Build 472 and v1.1.5\n- [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648)\n\n### Workarounds\n\nApply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.\n\n[**Update 2022-01-20**] [Shortened patch instructions](https://github.com/daftspunk/CVE-2021-32648) can be found here.\n\n### Recommendations\n\nWe recommend the following steps to make sure your server stays secure:\n\n- Keep server OS and system software up to date.\n- Keep October CMS software up to date.\n- Use a multi-factor authentication plugin.\n- Change the [default backend URL](https://github.com/octobercms/october/blob/1.1/config/cms.php#L39) or block public access to the backend area.\n- Include the [Roave/SecurityAdvisories](https://github.com/Roave/SecurityAdvisories) Composer package to ensure that your application doesn\u0027t have installed dependencies with known security vulnerabilities.\n\n### References\n\nBugs found as part of Solar Security CMS Research. Credits to:\n\u2022 Andrey Basarygin\n\u2022 Andrey Guzei\n\u2022 Mikhail Khramenkov\n\u2022 Alexander Sidukov\n\u2022 Maxim Teplykh\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)",
  "id": "GHSA-mxr5-mc97-63rc",
  "modified": "2025-10-22T19:06:40Z",
  "published": "2021-08-30T16:13:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32648"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/octobercms/october"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Account Takeover in Octobercms"
}

fkie_cve-2021-32648

Vulnerability from fkie_nvd

Published

2021-08-26 19:15

Modified

2025-10-24 14:47

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374	Patch
security-advisories@github.com	https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9	Patch
security-advisories@github.com	https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc	Patch, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648	US Government Resource

Impacted products

	Vendor	Product	Version
	octobercms	october	*
	octobercms	october	1.0.471

JSON

To clipboard

{
  "cisaActionDue": "2022-02-01",
  "cisaExploitAdd": "2022-01-18",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "October CMS Improper Authentication",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2E79163B-046D-4BA9-82C9-70AB3A000D69",
              "versionEndExcluding": "1.1.5",
              "versionStartIncluding": "1.1.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:octobercms:october:1.0.471:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C626BDE-022E-4AEE-A189-6AB7EBEDD80F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5."
    },
    {
      "lang": "es",
      "value": "octobercms en una plataforma CMS basada en el Framework PHP Laravel. En las versiones afectadas del paquete october/system un atacante puede solicitar el restablecimiento de la contrase\u00f1a de una cuenta y luego conseguir acceso a la misma mediante una petici\u00f3n especialmente dise\u00f1ada. El problema ha sido parcheado en la Build 472 y en la versi\u00f3n v1.1.5."
    }
  ],
  "id": "CVE-2021-32648",
  "lastModified": "2025-10-24T14:47:44.400",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-08-26T19:15:07.230",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2021-32648 (GCVE-0-2021-32648)

Vulnerability from cvelistv5

CISA Known Exploited Vulnerability

Data from the CISA Known Exploited Vulnerabilities Catalog

gsd-2021-32648

Vulnerability from gsd

ghsa-mxr5-mc97-63rc

Vulnerability from github

Impact

Patches

Workarounds

Recommendations

References

For more information

fkie_cve-2021-32648

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature