Cyber Resilience

CVE-2021-32648

HighCISA KEVActive ExploitationEUVD Exploited

Published: 26 August 2021

Published
26 August 2021
Modified
24 October 2025
KEV Added
18 January 2022
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.9304 99.8th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-32648 is a high-severity Improper Authentication (CWE-287) vulnerability in Octobercms October. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

October CMS, a content management system built on the Laravel PHP Framework, is affected by CVE-2021-32648 in the october/system package. The vulnerability stems from improper authentication handling during password reset flows, enabling an attacker to manipulate a reset request and subsequently access a target account. It carries a CVSS 3.1 score of 8.2 and is associated with CWE-287.

An unauthenticated remote attacker can initiate a password reset for any account and then submit a specially crafted follow-up request to complete the reset process without valid authorization. This grants the attacker control over the account, resulting in high confidentiality impact and limited integrity changes while leaving availability unaffected.

The vulnerability has been addressed in October CMS Build 472 and version 1.1.5. Official patches are documented in the GitHub security advisory GHSA-mxr5-mc97-63rc along with the referenced commits that correct the reset logic in the library.

EU & UK References

Vulnerability details

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue…

more

has been patched in Build 472 and v1.1.5.

CWE(s)
KEV Date Added
18 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

octobercms
october
1.0.471 · 1.1.1 — 1.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces that password-reset operations may only be completed by a properly authenticated user, directly blocking the crafted unauthorized reset request.

prevent

Requires successful identification and authentication before any account-modifying action such as completing a password reset.

prevent

Mandates secure procedures for authenticator (password) reset that would have prevented the flawed reset flow exploited by the CVE.

References