CVE-2021-21264

Published on: 05/03/2021 12:00:00 AM UTC

Last Modified on: 05/03/2021 05:37:00 PM UTC

CVE-2021-21264 - advisory for GHSA-fcr8-6q7r-m4wg

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Certain versions of October from Octobercms contain the following vulnerability:

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-26231 (fixed in 1.0.470/471 and 1.1.1) was discovered that has the same impact as CVE-2020-26231 & CVE-2020-15247. An authenticated backend user with the `cms.manage_pages`, `cms.manage_layouts`, or `cms.manage_partials` permissions who would **normally** not be permitted to provide PHP code to be executed by the CMS due to `cms.enableSafeMode` being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having `cms.enableSafeMode` enabled, but would be a problem for anyone relying on `cms.enableSafeMode` to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 472 (v1.0.472) and v1.1.2. As a workaround, apply https://github.com/octobercms/october/commit/f63519ff1e8d375df30deba63156a2fc97aa9ee7 to your installation manually if unable to upgrade to Build 472 or v1.1.2.

  • CVE-2021-21264 has been assigned by URL Logo [email protected] to track the vulnerability
  • Affected Vendor/Software: URL Logo octobercms - october version 1.0.471
  • Affected Vendor/Software: URL Logo octobercms - october version 1.1.1

CVE References

Description Tags Link
Bypass of fix for CVE-2020-26231, Twig sandbox escape · Advisory · octobercms/october · GitHub github.com
text/html
URL Logo CONFIRM github.com/octobercms/october/security/advisories/GHSA-fcr8-6q7r-m4wg

Known Affected Software

Vendor Product Version
Octobercms october 1.0.471
Octobercms october 1.1.1

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-21264 : October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A by… twitter.com/i/web/status/1… 2021-05-03 16:06:28
Reddit Logo Icon /r/netcve CVE-2021-21264 2021-05-03 16:41:24
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report