Headline
GHSA-p8q3-h652-65vx: October CMS safe mode bypass using Twig sandbox escape
Impact
An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.
This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.
Patches
This issue has been patched in v3.4.15.
Workarounds
As a workaround, remove the specified permissions from untrusted users.
References
Credits to:
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
Impact
An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.
This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.
Patches
This issue has been patched in v3.4.15.
Workarounds
As a workaround, remove the specified permissions from untrusted users.
References
Credits to:
- Vasiliy Bodrov
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
References
- GHSA-p8q3-h652-65vx
Related news
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the `editor.cms_pages`, `editor.cms_layouts`, or `editor.cms_partials` permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to `cms.safe_mode` being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This issue has been patched in 3.4.15.