Summary
Workarounds
Apply https://github.com/octobercms/october/commit/e3b455ad587282f0fbcb7763c6d9c3d000ca1e6a to your installation manually if unable to upgrade to Build 475 or v1.1.11.
Recommendations
We recommend the following steps to make sure your account information stays secure:
- Do not share your license key with anyone except October CMS.
- Check to make sure that your gateway update server has not been modified.
- Be aware of phishing websites, including other platforms that use the same appearance.
- For authors, you may contact us for help requesting the removal of affected plugins.
- Before providing plugin support, verify that the user holds a legitimate copy of the plugin.
References
Credits for research on this exploit:
• Nikita Khaetsky
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Impact
This advisory affects authors of plugins and themes listed on the October CMS marketplace where an end-user will inadvertently expose authors to potential financial loss by entering their private license key into a compromised server.
It has been disclosed that a project fork of October CMS v1.0 is using a compromised gateway to access the October CMS marketplace service. The compromised gateway captures the personal/business information of users and authors, including private source code files. It was also disclosed that captured plugin files are freely redistributed to other users without authorization.
End-users are provided with a forked version of October CMS v1.0. The provided software is modified to use a compromised gateway server.
The user is instructed to enter their October CMS license key into the administration panel to access the October CMS marketplace. The key is sent to the compromised server while appearing to access the genuine October CMS gateway server.
The compromised gateway server uses a "man in the middle" mechanism that captures information while forwarding the request to the genuine October CMS gateway and relaying the response back to the client.
The compromised gateway server stores the license key and other information about the user account including client name, email address and contents of purchased plugins and privately uploaded plugin files.
The stored plugin files are made available to other users of the compromised gateway server.
CVE-2022-23655 has a CVSS score of 4.8 (Medium). The vector is network-reachable, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.1.11, 1.0.475); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The issue has been patched in Build 475 (v1.0.475) and v1.1.11.
Frequently Asked Questions
- What is CVE-2022-23655? CVE-2022-23655 is a medium-severity security vulnerability in october/system (composer), affecting versions >= 1.1.0, < 1.1.11. It is fixed in 1.1.11, 1.0.475.
- How severe is CVE-2022-23655? CVE-2022-23655 has a CVSS score of 4.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of october/system are affected by CVE-2022-23655? october/system (composer) versions >= 1.1.0, < 1.1.11 is affected.
- Is there a fix for CVE-2022-23655? Yes. CVE-2022-23655 is fixed in 1.1.11, 1.0.475. Upgrade to this version or later.
- Is CVE-2022-23655 exploitable, and should I be worried? Whether CVE-2022-23655 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2022-23655 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2022-23655?
- Upgrade
october/systemto 1.1.11 or later - Upgrade
october/systemto 1.0.475 or later
- Upgrade