CVE-2021-21265 (GCVE-0-2021-21265)
Vulnerability from cvelistv5
Published
2021-03-10 21:15
Modified
2025-05-29 23:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
Summary
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octobercms | october |
Version: < 1.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.269Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "october",
"vendor": "octobercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-644",
"description": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T23:27:29.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
},
{
"name": "https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d"
},
{
"name": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"name": "https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30"
},
{
"name": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
},
{
"name": "https://packagist.org/packages/october/backend",
"tags": [
"x_refsource_MISC"
],
"url": "https://packagist.org/packages/october/backend"
}
],
"source": {
"advisory": "GHSA-xhfx-hgmf-v6vp",
"discovery": "UNKNOWN"
},
"title": "October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21265",
"datePublished": "2021-03-10T21:15:15",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2025-05-29T23:27:29.528Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2021-21265\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-03-10T22:15:12.057\",\"lastModified\":\"2025-05-30T00:15:20.330\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.\"},{\"lang\":\"es\",\"value\":\"October es una plataforma CMS gratuita, de c\u00f3digo abierto y autoinvitada basada en Laravel PHP Framework.\u0026#xa0;En October versiones anteriores a 1.1.2, cuando se ejecuta en servidores mal configurados (es decir, el servidor enruta cualquier petici\u00f3n, independientemente del encabezado HOST hacia una instancia CMS de october), se presenta la posibilidad de que los ataques de Envenenamiento del Encabezado de host tengan \u00e9xito.\u0026#xa0;Esto ha sido solucionado en la versi\u00f3n 1.1.2, al agregar una funci\u00f3n para permitir que se especifique un conjunto de hosts confiables en la aplicaci\u00f3n.\u0026#xa0;Como soluci\u00f3n alternativa, puede establecerse el ajuste de configuraci\u00f3n cms.linkPolicy para forzar\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-644\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.1.2\",\"matchCriteriaId\":\"E34205D2-FCF8-4F33-8835-3CEA0E253936\"}]}]}],\"references\":[{\"url\":\"https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://packagist.org/packages/october/backend\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
fkie_cve-2021-21265
Vulnerability from fkie_nvd
Published
2021-03-10 22:15
Modified
2025-05-30 00:15
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d | ||
| security-advisories@github.com | https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30 | ||
| security-advisories@github.com | https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp | Patch, Third Party Advisory | |
| security-advisories@github.com | https://packagist.org/packages/october/backend | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| octobercms | october | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E34205D2-FCF8-4F33-8835-3CEA0E253936",
"versionEndExcluding": "1.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."
},
{
"lang": "es",
"value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autoinvitada basada en Laravel PHP Framework.\u0026#xa0;En October versiones anteriores a 1.1.2, cuando se ejecuta en servidores mal configurados (es decir, el servidor enruta cualquier petici\u00f3n, independientemente del encabezado HOST hacia una instancia CMS de october), se presenta la posibilidad de que los ataques de Envenenamiento del Encabezado de host tengan \u00e9xito.\u0026#xa0;Esto ha sido solucionado en la versi\u00f3n 1.1.2, al agregar una funci\u00f3n para permitir que se especifique un conjunto de hosts confiables en la aplicaci\u00f3n.\u0026#xa0;Como soluci\u00f3n alternativa, puede establecerse el ajuste de configuraci\u00f3n cms.linkPolicy para forzar"
}
],
"id": "CVE-2021-21265",
"lastModified": "2025-05-30T00:15:20.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-10T22:15:12.057",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
},
{
"source": "security-advisories@github.com",
"url": "https://packagist.org/packages/october/backend"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-644"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
ghsa-xhfx-hgmf-v6vp
Vulnerability from github
Published
2021-03-10 21:07
Modified
2025-05-29 23:26
VLAI Severity ?
Summary
October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers
Details
Impact
When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning: - https://portswigger.net/web-security/host-header - https://dzone.com/articles/what-is-a-host-header-attack
Patches
A feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.
Workarounds
-
Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 & https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.
-
Check that the configuration setting
cms.linkPolicyis set toforce.
Alternative Workaround
Check to make sure that your web server does not accept any hostname when serving your web application.
- Add an entry called
testing.tldto your computer's host file and direct it to your server's IP address - Open the address
testing.tldin your web browser - Make sure an October CMS website is not available at this address
If an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.
References
Reported by Abdullah Hussam
For More Information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
Threat Assessment
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "october/backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21265"
],
"database_specific": {
"cwe_ids": [
"CWE-644"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-10T21:07:08Z",
"nvd_published_at": "2021-03-10T22:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nWhen running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning:\n- https://portswigger.net/web-security/host-header\n- https://dzone.com/articles/what-is-a-host-header-attack\n\n### Patches\n\nA feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application.\n\n### Workarounds\n\n- Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 \u0026 https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2.\n\n- Check that the configuration setting `cms.linkPolicy` is set to `force`.\n\n### Alternative Workaround\n\nCheck to make sure that your web server does not accept any hostname when serving your web application.\n\n1. Add an entry called `testing.tld` to your computer\u0027s host file and direct it to your server\u0027s IP address\n2. Open the address `testing.tld` in your web browser\n3. Make sure an October CMS website is not available at this address\n\nIf an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator.\n\n### References\n\nReported by [Abdullah Hussam](https://github.com/ahussam)\n\n### For More Information\n\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat Assessment\n\u003cimg width=\"1108\" alt=\"Screen Shot 2021-01-15 at 4 12 57 PM\" src=\"https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png\"\u003e",
"id": "GHSA-xhfx-hgmf-v6vp",
"modified": "2025-05-29T23:26:01Z",
"published": "2021-03-10T21:07:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21265"
},
{
"type": "WEB",
"url": "https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d"
},
{
"type": "WEB",
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"type": "WEB",
"url": "https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30"
},
{
"type": "WEB",
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/october/backend"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers"
}
gsd-2021-21265
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-21265",
"description": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.",
"id": "GSD-2021-21265"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-21265"
],
"details": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.",
"id": "GSD-2021-21265",
"modified": "2023-12-13T01:23:10.868518Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21265",
"STATE": "PUBLIC",
"TITLE": "Potential Host Header Poisoning on misconfigured servers"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "october",
"version": {
"version_data": [
{
"version_value": "\u003c 1.1.2"
}
]
}
}
]
},
"vendor_name": "octobercms"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp",
"refsource": "CONFIRM",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
},
{
"name": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6",
"refsource": "MISC",
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"name": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0",
"refsource": "MISC",
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
}
]
},
"source": {
"advisory": "GHSA-xhfx-hgmf-v6vp",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.1.2",
"affected_versions": "All versions before 1.1.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-644",
"CWE-937"
],
"date": "2021-03-11",
"description": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.",
"fixed_versions": [
"1.1.2"
],
"identifier": "CVE-2021-21265",
"identifiers": [
"GHSA-xhfx-hgmf-v6vp",
"CVE-2021-21265"
],
"not_impacted": "All versions starting from 1.1.2",
"package_slug": "packagist/october/backend",
"pubdate": "2021-03-10",
"solution": "Upgrade to version 1.1.2 or above.",
"title": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"urls": [
"https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp",
"https://packagist.org/packages/october/backend",
"https://nvd.nist.gov/vuln/detail/CVE-2021-21265",
"https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6",
"https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0",
"https://github.com/advisories/GHSA-xhfx-hgmf-v6vp"
],
"uuid": "330d2402-8f02-4aae-9e1f-6356ea003ee0"
},
{
"affected_range": "\u003c1.1.2",
"affected_versions": "All versions before 1.1.2",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-644",
"CWE-937"
],
"date": "2021-03-18",
"description": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October, when running on poorly configured servers (i.e., the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting `cms.linkPolicy` to force.",
"fixed_versions": [
"1.1.2"
],
"identifier": "CVE-2021-21265",
"identifiers": [
"CVE-2021-21265",
"GHSA-xhfx-hgmf-v6vp"
],
"not_impacted": "All versions starting from 1.1.2",
"package_slug": "packagist/october/october",
"pubdate": "2021-03-10",
"solution": "Upgrade to version 1.1.2 or above.",
"title": "Improper Neutralization of HTTP Headers for Scripting Syntax",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-21265"
],
"uuid": "fa257cc5-a8c9-467f-8fc5-ae7cd1a32b4d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.1.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21265"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-644"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6"
},
{
"name": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0"
},
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2021-03-18T16:48Z",
"publishedDate": "2021-03-10T22:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…