CVE-2020-15247
Twig Sandbox Escape by authenticated users with access to editing CMS templates when safemode is enabled.
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.
October es una plataforma CMS gratuita, de código abierto y autohosteada basada en Laravel PHP Framework. En October CMS desde la versión 1.0.319 y anterior a versión 1.0.469, un usuario del backend autenticado con los permisos cms.manage_pages, cms.manage_layouts o cms.manage_partials que normalmente no estaría autorizado a proporcionar código PHP para ser ejecutado por el CMS debido a que cms.enableSafeMode está habilitado, es capaz de escribir código específico de Twig para escapar del sandbox de Twig y ejecutar PHP arbitrario. Esto no es un problema para cualquiera que confíe en sus usuarios con esos permisos para escribir y administrar PHP normalmente dentro del CMS al no tener cms.enableSafeMode habilitado, pero sería un problema para cualquiera que confíe en cms.enableSafeMode para asegurarse de que los usuarios con esos permisos en producción no poseen acceso para escribir y ejecutar PHP arbitrario
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-06-25 CVE Reserved
- 2020-11-23 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/octobercms/october/security/advisories/GHSA-94vp-rmqv-5875 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/octobercms/october/commit/4c650bb775ab849e48202a4923bac93bd74f9982 | 2021-11-18 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Octobercms Search vendor "Octobercms" | October Search vendor "Octobercms" for product "October" | >= 1.0.319 < 1.0.469 Search vendor "Octobercms" for product "October" and version " >= 1.0.319 < 1.0.469" | - |
Affected
|