Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐘 Packagist

GHSA-53m6-44rc-h2q5

MEDIUM

Missing server signature validation in OctoberCMS

Also known asCVE-2022-23655
Published
Feb 24, 2022
Updated
Nov 8, 2023
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.6%probability of exploitation in next 30 days
Lower Risk46th percentile+0.49%
0.00%0.38%0.76%1.13%0.1%0.6%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected
🐘october/system🐘october/system

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Impact

This advisory affects authors of plugins and themes listed on the October CMS marketplace where an end-user will inadvertently expose authors to potential financial loss by entering their private license key into a compromised server.

It has been disclosed that a project fork of October CMS v1.0 is using a compromised gateway to access the October CMS marketplace service. The compromised gateway captures the personal/business information of users and authors, including private source code files. It was also disclosed that captured plugin files are freely redistributed to other users without authorization.

  1. End-users are provided with a forked version of October CMS v1.0. The provided software is modified to use a compromised gateway server.

  2. The user is instructed to enter their October CMS license key into the administration panel to access the October CMS marketplace. The key is sent to the compromised server while appearing to access the genuine October CMS gateway server.

  3. The compromised gateway server uses a "man in the middle" mechanism that captures information while forwarding the request to the genuine October CMS gateway and relaying the response back to the client.

  4. The compromised gateway server stores the license key and other information about the user account including client name, email address and contents of purchased plugins and privately uploaded plugin files.

  5. The stored plugin files are made available to other users of the compromised gateway server.

Patches

The issue has been patched in Build 475 (v1.0.475) and v1.1.11.

Workarounds

Apply https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a to your installation manually if unable to upgrade to Build 475 or v1.1.11.

Recommendations

We recommend the following steps to make sure your account information stays secure:

  • Do not share your license key with anyone except October CMS.
  • Check to make sure that your gateway update server has not been modified.
  • Be aware of phishing websites, including other platforms that use the same appearance.
  • For authors, you may contact us for help requesting the removal of affected plugins.
  • Before providing plugin support, verify that the user holds a legitimate copy of the plugin.

References

Credits for research on this exploit: • Nikita Khaetsky

For more information

If you have any questions or comments about this advisory:

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
🐘Packagistoctober/system1.1.0&&< 1.1.111.1.11
🐘Packagistoctober/systemall versions1.0.475

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for october/system. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update october/system to 1.1.11 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-53m6-44rc-h2q5 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-53m6-44rc-h2q5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-53m6-44rc-h2q5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact This advisory affects authors of plugins and themes listed on the October CMS marketplace where an end-user will inadvertently expose authors to potential financial loss by entering their private license key into a compromised server. It has been disclosed that a project fork of October CMS v1.0 is using a compromised gateway to access the October CMS marketplace service. The compromised gateway captures the personal/business information of users and authors, including private source code files. It was also disclosed that captured plugin files are freely redistributed to other use
O3 Security · Impact-Aware SCA

Is GHSA-53m6-44rc-h2q5 in your dependencies?

O3 detects GHSA-53m6-44rc-h2q5 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works