CVE-2020-26231

October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 470 (v1.0.470) and v1.1.1.

CVSS v3 6.7 MEDIUM
CVSS v2.0 4.4 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7	Patch Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:octobercms:october:1.0.469:::::::*
	cpe:2.3:a:octobercms:october:1.1.0:::::::*

History

No history.

Information

Published : 2020-11-23 21:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-26231

Mitre link : CVE-2020-26231

CVE.ORG link : CVE-2020-26231

JSON object : View

Products Affected

octobercms

october

CWE

CWE-862

Missing Authorization

{"id": "CVE-2020-26231", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 1.1}]}, "published": "2020-11-23T21:15:12.347", "references": [{"url": "https://github.com/octobercms/october/commit/d34fb8ab51108495a9a651b841202d935f4e12f7", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/octobercms/october/security/advisories/GHSA-r89v-cgv7-3jhx", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. A bypass of CVE-2020-15247 (fixed in 1.0.469 and 1.1.0) was discovered that has the same impact as CVE-2020-15247. An authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 470 (v1.0.470) and v1.1.1."}, {"lang": "es", "value": "October es una plataforma CMS gratuita, de c\u00f3digo abierto y autohosteada basada en Laravel PHP Framework. Se detect\u00f3 un bypass de CVE-2020-15247 (corregido en versiones 1.0.469 y 1.1.0), que tiene el mismo impacto que CVE-2020-15247. Un usuario del backend autenticado con los permisos cms.manage_pages, cms.manage_layouts o cms.manage_partials que normalmente no podr\u00eda proporcionar c\u00f3digo PHP para ser ejecutado por el CMS debido a que cms.enableSafeMode est\u00e1 habilitado, puede escribir c\u00f3digo Twig espec\u00edfico para escapar del sandbox de Twig y ejecutar PHP arbitrario. Esto no es un problema para cualquiera que conf\u00ede en sus usuarios con esos permisos para escribir y administrar PHP normalmente dentro del CMS al no tener cms.enableSafeMode habilitado, pero ser\u00eda un problema para cualquiera que conf\u00ede en cms.enableSafeMode para asegurarse de que los usuarios con esos permisos en producci\u00f3n no tienen acceso para escribir y ejecutar PHP arbitrario. El problema se corrigi\u00f3 en Build 470 (versi\u00f3n v1.0.470) y versi\u00f3n v1.1.1"}], "lastModified": "2020-12-08T18:57:38.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octobercms:october:1.0.469:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40EC0658-E1FF-4267-951C-5AB8185E70CB"}, {"criteria": "cpe:2.3:a:octobercms:october:1.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7A37D3A-A944-4F0A-A023-04FEAD7BE347"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}