CVE-2022-35944 MEDIUM

CVE-2022-35944: October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution)

Vendor Octobercms
Product october
Weakness CWE-94 · Code injection
Published October 13, 2022
Last update April 23, 2025

CVSS base score

6.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66.

Key dates

02Disclosure timeline

October 13, 2022 CVE published
April 23, 2025 Record updated