CVE-2022-24800

HIGH

October CMS < 1.0.476 - Unauthenticated Remote Code Execution via Race Condition in File Upload

Title source: llm

Description

October/System is the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. Prior to versions 1.0.476, 1.1.12, and 2.2.15, when the developer allows the user to specify their own filename in the `fromData` method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory. This vulnerability affects plugins that expose the `October\Rain\Database\Attach\File::fromData` as a public interface and does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally. The issue has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. Those who are unable to upgrade may apply with patch to their installation manually as a workaround.

References (2)

Core 2

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/octobercms/october/security/advisories/GHSA-8v7h-cpc2-r8jp

Patch, Third Party Advisory x_refsource_misc

https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0114

EPSS Percentile 62.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-362

Status published

Products (2)

october/system 0 - 1.0.476Packagist

octobercms/october < 1.0.476

Published Jul 12, 2022

Tracked Since Feb 18, 2026