Description
October is a Content Management System (CMS) and web platform built on the the Laravel PHP Framework. In affected versions administrator accounts which had previously been deleted may still be able to sign in to the backend using October CMS v2.0. The issue has been patched in v2.1.12 of the october/october package. There are no workarounds for this issue and all users should update.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7
Release Notes, Vendor Advisory x_refsource_misc
https://octobercms.com/changelog
Scores
CVSS v3
7.2
EPSS
0.0106
EPSS Percentile
60.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (3)
october/october
2.1.0 - 2.1.12Packagist
october/system
2.1.0 - 2.1.12Packagist
octobercms/october
2.0.0 - 2.1.12
Published
Oct 06, 2021
Tracked Since
Feb 18, 2026