CVE-2021-21265

October CMS vulnerable to Potential Host Header Poisoning on misconfigured servers

Description

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

Category

6.8
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.29%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: octobercms october
Published at:
Updated at:

References

Link Tags
https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp third party advisory patch
https://github.com/octobercms/library/commit/f29865ae3db7a03be7c49294cd93980ec457f10d
https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6 third party advisory patch
https://github.com/octobercms/october/commit/555ab61f2313f45d7d5d138656420ead536c5d30
https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0 third party advisory patch
https://packagist.org/packages/october/backend

Frequently Asked Questions

What is the severity of CVE-2021-21265?
CVE-2021-21265 has been scored as a medium severity vulnerability.
How to fix CVE-2021-21265?
To fix CVE-2021-21265, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21265 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-21265 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21265?
CVE-2021-21265 affects octobercms october.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.