Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1wOHEzLWg2NTItNjV2eM4AA3a2

October CMS safe mode bypass using Twig sandbox escape

Impact

An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.

This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.

Patches

This issue has been patched in v3.4.15.

Workarounds

As a workaround, remove the specified permissions from untrusted users.

References

Credits to:

• Vasiliy Bodrov

For more information

If you have any questions or comments about this advisory:

• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-p8q3-h652-65vx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wOHEzLWg2NTItNjV2eM4AA3a2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-p8q3-h652-65vx, CVE-2023-44382
References:

• https://github.com/octobercms/october/security/advisories/GHSA-p8q3-h652-65vx
• https://nvd.nist.gov/vuln/detail/CVE-2023-44382
• https://github.com/advisories/GHSA-p8q3-h652-65vx

Repository: https://github.com/octobercms/october
Blast Radius: 23.0

Affected Packages