### [CVE-2021-29487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29487)
![](https://img.shields.io/static/v1?label=Product&message=october&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-287%3A%20Improper%20Authentication&color=brighgreen)

### Description

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can exploit this vulnerability to bypass authentication and takeover of and user account on an October CMS server. The vulnerability is exploitable by unauthenticated users via a specially crafted request. This only affects frontend users and the attacker must obtain a Laravel secret key for cookie encryption and signing in order to exploit this vulnerability. The issue has been patched in Build 472 and v1.1.5.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/daftspunk/CVE-2021-32648