GHSA-q22j-5r3g-9hmh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q22j-5r3g-9hmh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-q22j-5r3g-9hmh/GHSA-q22j-5r3g-9hmh.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q22j-5r3g-9hmh
- Aliases
- Published
- 2023-11-29T21:33:16Z
- Modified
- 2023-12-04T15:17:41Z
- Severity
-
- 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- October CMS safe mode bypass using Page template injection
- Details
-
Impact
An authenticated backend user with the
editor.cms_pages,editor.cms_layouts, oreditor.cms_partialspermissions who would normally not be permitted to provide PHP code to be executed by the CMS due tocms.safe_modebeing enabled can craft a special request to include PHP code in the CMS template.This is not a problem for anyone who trusts their users with those permissions to usually write & manage PHP within the CMS by not having
cms.safe_modeenabled. Still, it would be a problem for anyone relying oncms.safe_modeto ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.Patches
This issue has been patched in v3.4.15.
Workarounds
As a workaround, remove the specified permissions from untrusted users.
References
Credits to: - Vasiliy Bodrov
For more information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
- Database specific
{ "github_reviewed_at": "2023-11-29T21:33:16Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2023-12-01T22:15:09Z", "cwe_ids": [ "CWE-94" ] }- References
Affected packages
Packagist / october/system
Package
- Name
- october/system
- Purl
- pkg:composer/october/system