High severity8.8NVD Advisory· Published Nov 1, 2017· Updated May 13, 2026
CVE-2017-16244
CVE-2017-16244
Description
Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for postback handling, allowing an attacker to successfully take over the victim's account. The attack bypasses a protection mechanism involving X-CSRF headers and CSRF tokens via a certain _handler postback variable.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
october/octoberPackagist | < 1.0.427 | 1.0.427 |
Affected products
1- cpe:2.3:a:octobercms:october:1.0.426:*:*:*:*:*:*:*
Patches
14a6e0e1e0e2cImplement CSRF token by default
2 files changed · +30 −1
config/cms.php+1 −1 modified@@ -332,7 +332,7 @@ | */ - 'enableCsrfProtection' => false, + 'enableCsrfProtection' => true, /* |--------------------------------------------------------------------------
modules/cms/classes/Controller.php+29 −0 modified@@ -337,6 +337,7 @@ public function runPage($page, $useAjax = true) if ( $useAjax && ($handler = post('_handler')) && + ($this->verifyCsrfToken()) && ($handlerResponse = $this->runAjaxHandler($handler)) && $handlerResponse !== true ) { @@ -1355,4 +1356,32 @@ protected function setComponentPropertiesFromParams($component, $parameters = [] } } } + + // + // Security + // + + /** + * Checks the request data / headers for a valid CSRF token. + * Returns false if a valid token is not found. Override this + * method to disable the check. + * @return bool + */ + protected function verifyCsrfToken() + { + if (!Config::get('cms.enableCsrfProtection')) { + return true; + } + + if (in_array(Request::method(), ['HEAD', 'GET', 'OPTIONS'])) { + return true; + } + + $token = Request::input('_token') ?: Request::header('X-CSRF-TOKEN'); + + return hash_equals( + Session::token(), + $token + ); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/octobercms/october/commit/4a6e0e1e0e2c3facebc17e0db38c5b4d4cb05bd0nvdPatchThird Party AdvisoryWEB
- www.exploit-db.com/exploits/43106/nvdExploitThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-vm6r-4p4v-232xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16244ghsaADVISORY
- www.exploit-db.com/exploits/43106ghsaWEB
News mentions
0No linked articles in our index yet.