CVE-2021-32648

unknown KEV

Published 2021-08-30 · Modified 2022-01-18

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:H

CVSS v2

—

VIR risk

1.5

Description

In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.

CISA KEV

Vendor: October CMS
Product: October CMS
Due date: 2022-02-01

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2021-32648

Exploits

Package impact

Ecosystem	Package	Vulnerable	Fixed
Packagist	october/system	`<1.0.472`	`1.0.472`
Packagist	october/system	`>=1.1.1,<1.1.5`	`1.1.5`

References

https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc
https://nvd.nist.gov/vuln/detail/CVE-2021-32648
https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374
https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9
https://github.com/octobercms/october
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-32648

Verify integrity in audit chain (admin only). AS-IS.