CVE-2021-32648
Published: 26 August 2021
Summary
CVE-2021-32648 is a high-severity Improper Authentication (CWE-287) vulnerability in Octobercms October. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
October CMS, a content management system built on the Laravel PHP Framework, is affected by CVE-2021-32648 in the october/system package. The vulnerability stems from improper authentication handling during password reset flows, enabling an attacker to manipulate a reset request and subsequently access a target account. It carries a CVSS 3.1 score of 8.2 and is associated with CWE-287.
An unauthenticated remote attacker can initiate a password reset for any account and then submit a specially crafted follow-up request to complete the reset process without valid authorization. This grants the attacker control over the account, resulting in high confidentiality impact and limited integrity changes while leaving availability unaffected.
The vulnerability has been addressed in October CMS Build 472 and version 1.1.5. Official patches are documented in the GitHub security advisory GHSA-mxr5-mc97-63rc along with the referenced commits that correct the reset logic in the library.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-1808
Vulnerability details
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue…
more
has been patched in Build 472 and v1.1.5.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces that password-reset operations may only be completed by a properly authenticated user, directly blocking the crafted unauthorized reset request.
Requires successful identification and authentication before any account-modifying action such as completing a password reset.
Mandates secure procedures for authenticator (password) reset that would have prevented the flawed reset flow exploited by the CVE.