GHSA-p8q3-h652-65vx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p8q3-h652-65vx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-p8q3-h652-65vx/GHSA-p8q3-h652-65vx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p8q3-h652-65vx
- Aliases
- Published
- 2023-11-29T21:33:21Z
- Modified
- 2023-12-04T15:18:39Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- October CMS safe mode bypass using Twig sandbox escape
- Details
-
Impact
An authenticated backend user with the
editor.cms_pages,editor.cms_layouts, oreditor.cms_partialspermissions who would normally not be permitted to provide PHP code to be executed by the CMS due tocms.safe_modebeing enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having
cms.safe_modeenabled. Still, it would be a problem for anyone relying oncms.safe_modeto ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.Patches
This issue has been patched in v3.4.15.
Workarounds
As a workaround, remove the specified permissions from untrusted users.
References
Credits to: - Vasiliy Bodrov
For more information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
- Database specific
{ "nvd_published_at": "2023-12-01T22:15:09Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-94" ], "github_reviewed_at": "2023-11-29T21:33:21Z" }- References
Affected packages
Packagist / october/system
Package
- Name
- october/system
- Purl
- pkg:composer/october/system