Deleted Admin Can Sign In to Admin Interface
Description
Reviewed
Oct 6, 2021
Published to the GitHub Advisory Database
Oct 6, 2021
Published by the National Vulnerability Database
Oct 6, 2021
Last updated
Jan 27, 2023
Impact
Assuming an administrator once had previous access to the admin interface, they may still be able to sign in to the backend using October CMS v2.0.
Patches
The issue has been patched in v2.1.12
Workarounds
Reset the password of the deleted accounts to prevent them from signing in.
Please contact [email protected] for code change instructions if you are unable to upgrade.
References
Credits to:
• Daniel Bidala
For more information
If you have any questions or comments about this advisory:
References