GHSA-h76r-vgf3-j6w5
HIGHOctober CMS auth bypass and account takeover
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
october/system🐘october/systemReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Impact
An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.
- To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
- Due to the logic of how this mechanism works, a targeted user account must be logged in while the attacker is exploiting the vulnerability.
- Authorization via persist cookie not shown in access logs.
Patches
- Issue has been patched in Build 472 and v1.1.5
- Shortened patch instructions
Workarounds
Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.
[Update 2022-01-20] Shortened patch instructions can be found here.
Recommendations
We recommend the following steps to make sure your server stays secure:
- Keep server OS and system software up to date.
- Keep October CMS software up to date.
- Use a multi-factor authentication plugin.
- Change the default backend URL or block public access to the backend area.
- Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.
References
Bugs found as part of Solar Security CMS Research. Credits to: • Andrey Basarygin • Andrey Guzei • Mikhail Khramenkov • Alexander Sidukov • Maxim Teplykh
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | october/system | all versions | 1.0.472 |
| 🐘Packagist | october/system | ≥ 1.1.1&&< 1.1.5 | 1.1.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for october/system. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update october/system to 1.0.472 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-h76r-vgf3-j6w5 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-h76r-vgf3-j6w5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-h76r-vgf3-j6w5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-h76r-vgf3-j6w5 in your dependencies?
O3 detects GHSA-h76r-vgf3-j6w5 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.