CVE-2021-32648

HIGH KEV NUCLEI

October < 1.1.5 - Authentication Bypass

Title source: rule

Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

Exploits (2)

inthewild WORKING POC

poc

https://github.com/immersive-labs-sec/cve-2021-32648

View Code ZIP pw:eip

vulncheck_xdb WORKING POC

remote

https://github.com/Immersive-Labs-Sec/CVE-2021-32648

View Code ZIP pw:eip

Nuclei Templates (1)

OctoberCMS - Account Takeover

HIGHVERIFIEDby daffainfo

Shodan: http.component:"october cms"

References (4)

[Patch] https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374

[Patch] https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9

View Patch ZIP pw:eip

[Patch, Vendor Advisory] https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648

Scores

CVSS v3 8.2

EPSS 0.9307

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitation Intel

CISA KEV 2022-01-18

VulnCheck KEV 2022-01-18

InTheWild.io 2022-01-14

ENISA EUVD EUVD-2021-1808

Classification

CWE

CWE-287

Status published

Affected Products (3)

octobercms/october < 1.1.5

octobercms/october

october/system < 1.0.472Packagist

Timeline

Published Aug 26, 2021

KEV Added Jan 18, 2022

Tracked Since Feb 18, 2026