An authenticated backend user with the editor.cms_pages, editor.cms_layouts, or editor.cms_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.safe_mode being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP.
This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on cms.safe_mode to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP.
This issue has been patched in v3.4.15.
As a workaround, remove the specified permissions from untrusted users.
Credits to:
- Vasiliy Bodrov
If you have any questions or comments about this advisory:
* Email us at [email protected]
| Score | Percentile |
|---|---|
| 0.25% | 47.74% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 9.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-p8q3-h652-65vx ↗ |
| CVE | CVE-2023-44382 ↗ |
| CWE id | Name |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | october/system | >= 3.0.0, < 3.4.15 | 3.4.15 | — |