CVE-2022-35944

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-35944

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35944.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-35944

Aliases

GHSA-x4q7-m6fp-4v9v

Published

2022-10-13T00:00:00Z

Modified

2025-10-13T04:35:28Z

Severity

6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L CVSS Calculator

Summary

October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution)

Details

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (cms.safe_mode) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.

References

https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "events": [
            {
                "introduced": "3.0.0"
            },
            {
                "fixed": "3.0.66"
            }
        ],
        "type": ""
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "2.2.34"
            }
        ],
        "type": ""
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35944.json"