7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29487

GHSA ID

GHSA-h76r-vgf3-j6w5

EPSS Score

0.6511%

CWE

CWE-287

Published

8/30/2021

Updated

1/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-29487

CVE-2021-29487: October CMS auth bypass and account takeover

Impact

An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.

To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
Due to the logic of how this mechanism works, a targeted user account must be logged in while the attacker is exploiting the vulnerability.
Authorization via persist cookie not shown in access logs.

Patches

Issue has been patched in Build 472 and v1.1.5
Shortened patch instructions

Workarounds

Apply https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 and https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 to your installation manually if you are unable to upgrade.

[Update 2022-01-20] Shortened patch instructions can be found here.

Recommendations

We recommend the following steps to make sure your server stays secure:

Keep server OS and system software up to date.
Keep October CMS software up to date.
Use a multi-factor authentication plugin.
Change the default backend URL or block public access to the backend area.
Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.

References

Bugs found as part of Solar Security CMS Research. Credits to: • Andrey Basarygin • Andrey Guzei • Mikhail Khramenkov • Alexander Sidukov • Maxim Teplykh

For more information

If you have any questions or comments about this advisory:

Email us at hello@octobercms.com

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-29487

GHSA ID

GHSA-h76r-vgf3-j6w5

EPSS Score

0.6511%

CWE

CWE-287

Published

8/30/2021

Updated

1/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/system	composer	< 1.0.472	1.0.472
october/system	composer	>= 1.1.1, < 1.1.5	1.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from improper type comparisons in authentication checks. The patch commits show multiple instances where loose equality operators (==) were replaced with strict comparisons (===) and values were explicitly cast to integers. The most critical appears in checkPersistCode() which handles persistent session cookies. Loose comparison here would allow type juggling (e.g., 0 == '0abc') enabling forged cookies. The hasPermission() changes suggest secondary authorization weaknesses. Both functions directly relate to the described auth bypass via manipulated cookies when combined with Laravel's encryption key.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r **n *xploit t*is vuln*r**ility to *yp*ss *ut**nti**tion usin* * sp**i*lly *r**t** p*rsist *ooki*. - To *xploit t*is vuln*r**ility, *n *tt**k*r must o*t*in * L*r*v*l’s s**r*t k*y *or *ooki* *n*ryption *n* si*nin*. - *u* to t**

Reasoning

T** *or* vuln*r**ility st*ms *rom improp*r typ* *omp*risons in *ut**nti**tion ****ks. T** p*t** *ommits s*ow multipl* inst*n**s w**r* loos* *qu*lity op*r*tors (==) w*r* r*pl**** wit* stri*t *omp*risons (===) *n* v*lu*s w*r* *xpli*itly **st to int***r

7.4

Basic Information

Concerned about an active attack path?

CVE-2021-29487: October CMS auth bypass and account takeover

Impact

Patches

Workarounds

Recommendations

References

For more information

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI