SB2022011410 - Multiple vulnerabilities in October CMS

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2021-32649)

The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation. A remote user with "create, modify and delete website pages" privileges can execute PHP code by running specially crafted Twig code in the template markup.

2) Code Injection (CVE-ID: CVE-2021-32650)

The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to improper input validation in the theme import feature. A remote user with access to the backend can bypass the safe mode feature that prevents PHP execution in the CMS templates and execute arbitrary PHP code on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/octobercms/october/security/advisories/GHSA-wv23-pfj7-2mjj/
• https://github.com/octobercms/october/security/advisories/GHSA-5hfj-r725-wpc4/