A serious vulnerability has been identified in the back-end area that has been addressed in Build 437. We strongly recommend performing an update to this version.
These security issues affect all websites running October CMS Build 436 and earlier where the back-end URL is known and exposed to everyone. There are two issues fixed by this build:
- A user is able to execute PHP files stored on the server without authentication via the back-end.
- A back-end user is able to store XSS and potentially take control of another admin's account.
If you are running Build 436 or less, perform a system update and ensure you are running Build 437 or above.
Using the back-end interface
Navigate to Settings > Updates & Plugins and select Check for updates, follow the update process to complete the upgrade.
Using the command line interface
Using the CLI run the following command:
php artisan october:update
Or if you are using composer:
If you are unable to perform an update for any reason, you may patch the following files manually by referencing this commit on GitHub.