CVE-2022-24800: 
PHP vulnerability analysis and mitigation

CVE-2022-24800 affects October/System, the system module for October CMS, a self-hosted CMS platform based on the Laravel PHP Framework. The vulnerability was discovered in versions prior to 1.0.476, 1.1.12, and 2.2.15, where an unauthenticated user could perform remote code execution (RCE) by exploiting a race condition in the temporary storage directory when developers allow users to specify their own filename in the fromData method. Notably, this vulnerability only affects plugins that expose the October\Rain\Database\Attach\File::fromData as a public interface and does not impact vanilla installations of October CMS (GitHub Advisory).

The vulnerability stems from a race condition in the temporary storage directory when processing file uploads through the fromData method. The issue received a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) (NVD).

When successfully exploited, the vulnerability allows unauthenticated attackers to execute remote code on the affected system. This could potentially lead to complete system compromise, as the vulnerability provides high levels of impact on confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been patched in Build 476 (v1.0.476), v1.1.12, and v2.2.15. For users unable to upgrade, a manual workaround is available by applying the patch from octobercms/library@fe569f3 to their installation. The fix involves modifying the file handling process to use unique temporary filenames during the upload process (GitHub Advisory).