{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-23T03:08:13.960","vulnerabilities":[{"cve":{"id":"CVE-2021-32649","sourceIdentifier":"security-advisories@github.com","published":"2022-01-14T15:15:07.523","lastModified":"2024-11-21T06:07:27.430","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"October CMS is a self-hosted content management system (CMS) platform based on the Laravel PHP Framework. Prior to versions 1.0.473 and 1.1.6, an attacker with \"create, modify and delete website pages\" privileges in the backend is able to execute PHP code by running specially crafted Twig code in the template markup. The issue has been patched in Build 473 (v1.0.473) and v1.1.6. Those unable to upgrade may apply the patch to their installation manually as a workaround."},{"lang":"es","value":"October CMS es una plataforma de sistema de administración de contenidos (CMS) auto alojada basada en el framework PHP Laravel. En versiones anteriores a 1.0.473 y 1.1.6, un atacante con privilegios \"create, modify and delete website pages\" en el backend es capaz de ejecutar código PHP mediante la ejecución de código Twig especialmente diseñado en el marcado de la plantilla. El problema ha sido parcheado en la Build 473 (v1.0.473) y versión v1.1.6. Los que no puedan actualizar pueden aplicar el parche a su instalación manualmente como medida de mitigación"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","baseScore":6.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-94"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.473","matchCriteriaId":"825E6E25-2039-4C79-9B48-EDE2B1EB9A2F"},{"vulnerable":true,"criteria":"cpe:2.3:a:octobercms:october:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.0","versionEndExcluding":"1.1.6","matchCriteriaId":"C00C0780-FBDC-493D-B97B-CE805D3606B7"}]}]}],"references":[{"url":"https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/octobercms/october/commit/167b592eed291ae1563c8fcc5b9b34a03a300f26","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]}]}}]}