Description
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.
References (6)
Core 6
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp
Patch, Third Party Advisory x_refsource_misc
https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6
Patch, Third Party Advisory x_refsource_misc
https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0
Various Sources x_refsource_misc
https://packagist.org/packages/october/backend
Patch x_refsource_misc
https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d
Scores
CVSS v3
6.8
EPSS
0.0051
EPSS Percentile
66.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-644
Status
published
Products (2)
october/backend
0 - 1.1.2Packagist
octobercms/october
< 1.1.2
Published
Mar 10, 2021
Tracked Since
Feb 18, 2026