Code Injection in October CMS

#VU52790 Code Injection in October CMS

Published: 2021-05-03

Vulnerability identifier: #VU52790

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21264

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
October CMS
Web applications / CMS

Vendor: OctoberCMS

Description

The vulnerability allows a remote user to execute arbitrary PHP code on the target system.

The vulnerability exists due to incomplete patch implementation for previously patched vulnerabilities #VU48707 and #VU48710. A remote authenticated user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

October CMS: 1.1.1, 1.0.470 - 1.0.471

External links
http://github.com/octobercms/october/security/advisories/GHSA-fcr8-6q7r-m4wg/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Twig sandbox bypass in October CMS