Miggo Logo

CVE-2024-24764: October System module has an Open Redirect for Administrator Accounts

3.5

CVSS Score
3.1

Basic Information

EPSS Score
0.26029%
Published
6/26/2024
Updated
6/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
october/systemcomposer>= 3.2, < 3.5.153.5.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on improper handling of 'october://' URIs in the PageFinder component. The advisory explicitly states the resolver allowed external links, which indicates the URI resolution function lacked proper validation. The PageFinder class is logically responsible for link resolution in the system module, and its resolve method would be the primary entry point for processing these schema-based links. The high confidence comes from the direct correlation between the described vulnerability pattern (open redirect via custom URI scheme) and typical implementation patterns in CMS architectures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is **visory *****ts *ut**nti**t** **ministr*tors w*o m*y ** r**ir**t** to *n untrust** URL usin* t** P****in**r s***m*. T** r*solv*r *or t** p*** *in**r link s***m* (`o*to**r://`) *llow** *xt*rn*l links, t**r**or* *llowin* *n op*n r**i

Reasoning

T** vuln*r**ility **nt*rs on improp*r **n*lin* o* 'o*to**r://' URIs in t** P****in**r *ompon*nt. T** **visory *xpli*itly st*t*s t** r*solv*r *llow** *xt*rn*l links, w*i** in*i**t*s t** URI r*solution *un*tion l**k** prop*r v*li**tion. T** `P****in**r