CVE-2022-23655
Summary
| CVE | CVE-2022-23655 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-02-24 00:15:00 UTC |
| Updated | 2022-03-07 17:15:00 UTC |
| Description | Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation. |
Risk And Classification
Problem Types: CWE-347
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Octobercms | October | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Checks gateway server has a valid signature · octobercms/october@e3b455a · GitHub | MISC | github.com | |
| Compromised gateway causes data breach · Advisory · octobercms/october · GitHub | CONFIRM | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.