CVE-2022-35944
MEDIUMOctober CMS < 2.2.34 - Authenticated PHP Code Injection via CMS Template Editor
Title source: llmDescription
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.
References (1)
Core 1
Core References
Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v
Scores
CVSS v3
6.2
EPSS
0.0086
EPSS Percentile
54.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
october/system
2.0.0 - 2.2.34Packagist
octobercms/october
< 2.2.34
Published
Oct 13, 2022
Tracked Since
Feb 18, 2026