Patch your code for October CMS Auth Bypass CVE-2021-32648
- Open the file vendor/october/rain/src/Auth/Models/User.php
- Perform the patch found in these diff notes
- Save the file
You are converting a loose comparison to a strict comparison by replacing two (2) equal signs ==
with three (3) equal signs ===
. This blocks the attack vector as described in CVE-2021-32648 and also CVE-2021-29487.
This issue has been patched in October CMS Build 472 (v1.0.472+) and v1.1.5+. This issue does not affect v2.0.0+.