8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24800

GHSA ID

GHSA-8v7h-cpc2-r8jp

EPSS Score

0.83741%

CWE

CWE-362

Published

7/13/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24800

CVE-2022-24800: October CMS upload process vulnerable to RCE via Race Condition

Impact

This advisory affects plugins that expose the October\Rain\Database\Attach\File::fromData as a public interface. This vulnerability does not affect vanilla installations of October CMS since this method is not exposed or used by the system internally or externally.

When the developer allows the user to specify their own filename in the fromData method, an unauthenticated user can perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory.

Patches

The issue has been patched in Build 476 (v1.0.476) and v1.1.12 and v2.2.15.

Workarounds

Apply https://github.com/octobercms/library/commit/fe569f3babf3f593be2b1e0a4ae0283506127a83 to your installation manually if unable to upgrade to Build 476 (v1.0.476) or v1.1.12 or v2.2.15.

References

Credits to:

DucNT, HungTD and GiangVQ from RedTeam@VNG Security Response Center.

For more information

If you have any questions or comments about this advisory:

Email us at hello@octobercms.com

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24800

GHSA ID

GHSA-8v7h-cpc2-r8jp

EPSS Score

0.83741%

CWE

CWE-362

Published

7/13/2022

Updated

1/27/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
october/system	composer	< 1.0.476	1.0.476
october/system	composer	>= 1.1.0, < 1.1.12	1.1.12
october/system	composer	>= 2.0.0, < 2.2.15	2.2.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the File::fromData method's handling of user-supplied filenames. The original code used the user-provided filename directly to create a temporary file path (via temp_path(basename($filename))), allowing attackers to predict the temporary file's location. This predictability enabled a race condition where an attacker could write a malicious payload to the temporary file and execute it before the system deleted it. The patch introduced a randomized temporary filename (via uniqid()), breaking the predictability. The commit diff confirms this critical change occurred in the fromData method's logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is **visory *****ts plu*ins t**t *xpos* t** `O*to**r\R*in\**t***s*\*tt***\*il*::*rom**t*` *s * pu*li* int*r****. T*is vuln*r**ility *o*s not *****t v*nill* inst*ll*tions o* O*to**r *MS sin** t*is m*t*o* is not *xpos** or us** *y t** sys

Reasoning

T** vuln*r**ility st*ms *rom t** *il*::*rom**t* m*t*o*'s **n*lin* o* us*r-suppli** *il*n*m*s. T** ori*in*l *o** us** t** us*r-provi*** *il*n*m* *ir**tly to *r**t* * t*mpor*ry *il* p*t* (vi* `t*mp_p*t*(**s*n*m*($*il*n*m*))`), *llowin* *tt**k*rs to pr*

8.1

Basic Information

Concerned about an active attack path?

CVE-2022-24800: October CMS upload process vulnerable to RCE via Race Condition

Impact

Patches

Workarounds

References

For more information

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI