logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-21265 october/backend

Package

Manager: composer
Name: october/backend
Vulnerable Version: >=0 <1.1.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0047 pctl0.63641

Details

October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers ### Impact When running on servers that are configured to accept a wildcard as a hostname (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. See the following resources for more information on Host Header Poisoning: - https://portswigger.net/web-security/host-header - https://dzone.com/articles/what-is-a-host-header-attack ### Patches A feature has been added in v1.1.2 to allow a set of trusted hosts to be specified in the application. ### Workarounds - Apply https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 & https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 to your installation manually if unable to upgrade to v1.1.2. - Check that the configuration setting `cms.linkPolicy` is set to `force`. ### Alternative Workaround Check to make sure that your web server does not accept any hostname when serving your web application. 1. Add an entry called `testing.tld` to your computer's host file and direct it to your server's IP address 2. Open the address `testing.tld` in your web browser 3. Make sure an October CMS website is not available at this address If an October CMS website is returned, configure your webserver to only allow known hostnames. If you require assistance with this, please contact your server administrator. ### References Reported by [Abdullah Hussam](https://github.com/ahussam) ### For More Information If you have any questions or comments about this advisory: * Email us at [hello@octobercms.com](mailto:hello@octobercms.com) ### Threat Assessment <img width="1108" alt="Screen Shot 2021-01-15 at 4 12 57 PM" src="https://user-images.githubusercontent.com/7253840/104783859-92fb3600-574c-11eb-9e21-c0dc05d230a9.png">

Metadata

Created: 2021-03-10T21:07:25Z
Modified: 2025-05-29T23:26:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-xhfx-hgmf-v6vp/GHSA-xhfx-hgmf-v6vp.json
CWE IDs: ["CWE-644"]
Alternative ID: GHSA-xhfx-hgmf-v6vp
Finding: F184
Auto approve: 1