CVE-2021-21265 MEDIUM

CVE-2021-21265: October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers

Vendor Octobercms
Product october
Weakness CWE-644
Published March 10, 2021
Last update May 29, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

Key dates

02Disclosure timeline

March 10, 2021 CVE published
May 29, 2025 Record updated