Cyber Resilience

CVE-2022-21705

High

Published: 23 February 2022

Published
23 February 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7034 98.7th percentile
Risk Priority 57 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-21705 is a high-severity Injection (CWE-74) vulnerability in Octobercms October. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

OctoberCMS, a self-hosted CMS platform built on the Laravel PHP framework, contains an input sanitization flaw that allows authenticated users to bypass the cms.safe_mode and cms.enableSafeMode settings. The issue affects versions prior to Build 474 (v1.0.474) and v1.1.10 and is limited to installations that rely on safe mode together with restricted administrative permissions. An attacker who can create, modify, or delete website pages can supply unsanitized input that results in arbitrary code execution when the page is rendered.

Exploitation requires prior access to the backend administrative area; once that access is obtained, a user holding page-management privileges can execute arbitrary code on the server. The vulnerability is tracked as CWE-74 and carries a CVSS 3.1 base score of 7.2, reflecting high impact on confidentiality, integrity, and availability when the conditions are met.

Official advisories and patches direct administrators to upgrade to the fixed releases or to apply the commit c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe manually; the remediation is documented in the OctoberCMS GitHub security advisories GHSA-79jw-2f46-wv22.

EPSS for the CVE rose from lower values to a peak of 0.8631 before receding to the current score of 0.7034, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. In affected versions user input was not properly sanitized before rendering. An authenticated user with the permissions to create, modify and delete website pages can exploit this vulnerability…

more

to bypass `cms.safe_mode` / `cms.enableSafeMode` in order to execute arbitrary code. This issue only affects admin panels that rely on safe mode and restricted permissions. To exploit this vulnerability, an attacker must first have access to the backend area. The issue has been patched in Build 474 (v1.0.474) and v1.1.10. Users unable to upgrade should apply https://github.com/octobercms/library/commit/c393c5ce9ca2c5acc3ed6c9bb0dab5ffd61965fe to your installation manually.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

octobercms
october
≤ 1.0.474 · 1.1.0 — 1.1.10 · 2.0.0 — 2.1.27

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References