GHSA-p8q3-h652-65vx

Suggest an improvement
Source
https://github.com/advisories/GHSA-p8q3-h652-65vx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-p8q3-h652-65vx/GHSA-p8q3-h652-65vx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p8q3-h652-65vx
Aliases
  • CVE-2023-44382
Published
2023-11-29T21:33:21Z
Modified
2023-12-04T15:18:39Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
October CMS safe mode bypass using Twig sandbox escape
Details

Impact

An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.

This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.

Patches

This issue has been patched in v3.4.15.

Workarounds

As a workaround, remove the specified permissions from untrusted users.

References

Credits to: - Vasiliy Bodrov

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

References

Affected packages

Packagist / october/system

Package

Name
october/system
Purl
pkg:composer/october/system

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.4.15