Home > Vulnerability Database > CVE-2021-21265

Mend.io Vulnerability Database

CVE-2021-21265

Good to know:

Date: March 10, 2021

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October before version 1.1.2, when running on poorly configured servers (i.e. the server routes any request, regardless of the HOST header to an October CMS instance) the potential exists for Host Header Poisoning attacks to succeed. This has been addressed in version 1.1.2 by adding a feature to allow a set of trusted hosts to be specified in the application. As a workaround one may set the configuration setting cms.linkPolicy to force.

Language: PHP

Severity Score

7.5

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-21265

Url: https://github.com/octobercms/library/commit/f86fcbcd066d6f8b939e8fe897409d152b11c3c6

Url: https://github.com/octobercms/october/security/advisories/GHSA-xhfx-hgmf-v6vp

Url: https://github.com/octobercms/october/commit/f638d3f78cfe91d7f6658820f9d5e424306a3db0

Url: https://www.mend.io/vulnerability-database/CVE-2021-21265

Severity Score

7.5

Weakness Type (CWE)

Improper Neutralization of HTTP Headers for Scripting Syntax

CWE-644

Top Fix

Upgrade Version

Upgrade to version v1.1.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-21265

Good to know:

Date: March 10, 2021

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?