CVE-2022-23655— Missing server signature validation in OctoberCMS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-23655
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing server signature validation in OctoberCMS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Affected versions of OctoberCMS did not validate gateway server signatures. As a result non-authoritative gateway servers may be used to exfiltrate user private keys. Users are advised to upgrade their installations to build 474 or v1.1.10. The only known workaround is to manually apply the patch (e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a) which adds server signature validation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Octobercms 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Octobercms是美国Octobercms公司的一个基于Php的Cms建站系统。 Octobercms存在数据伪造问题漏洞,该漏洞源于在处理 zip 存档中文件名中的目录遍历序列时输入验证错误而存在的。 远程用户可以上传特制的 zip 存档并覆盖系统上的文件,从而导致系统受损。 该漏洞允许远程用户执行目录遍历攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| octobercms | october | >= 1.1.0, < 1.1.11 | - |
II. Public POCs for CVE-2022-23655
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-23655
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: october
- CVE-2026-29179
October: Editor Sub-Permission Bypass for Asset and Blueprin - CVE-2026-27937
October: Reflected XSS via DataTable Form Widget - CVE-2026-26274
October: Safe Mode Bypass via Twig Database Write Operations - CVE-2026-26067
October: Safe Mode Bypass via CSS Preprocessor Compilers - CVE-2026-25133
October CMS has Stored XSS via SVG Filter Bypass
Same vendor: octobercms
- CVE-2026-29179
October: Editor Sub-Permission Bypass for Asset and Blueprin - CVE-2026-27937
October: Reflected XSS via DataTable Form Widget - CVE-2026-26274
October: Safe Mode Bypass via Twig Database Write Operations - CVE-2026-26067
October: Safe Mode Bypass via CSS Preprocessor Compilers - CVE-2026-25133
October CMS has Stored XSS via SVG Filter Bypass
Same weakness: CWE-347
- CVE-2026-42193
Plunk: SNS webhook forgery - CVE-2026-44497
ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type - CVE-2026-41669
Admidio: SAML Signature Validation Result Ignored — Forged A - CVE-2026-7689
Dolibarr ERP CRM Online Signature security.lib.php dol_verif - CVE-2026-33467
Improper Verification of Cryptographic Signature in Elastic
V. Comments for CVE-2022-23655
No comments yet