Improper Control of Generation of Code ('Code Injection')
CVE-2023-44382
Summary
October is a Content Management System (CMS) and web platform to assist with development workflow. An authenticated backend user with the "editor.cms_pages", "editor.cms_layouts", or "editor.cms_partials" permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to "cms.safe_mode" being enabled can write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone who trusts their users with those permissions to usually write and manage PHP within the CMS by not having cms.safe_mode enabled. Still, it would be a problem for anyone relying on "cms.safe_mode" to ensure that users with those permissions in production do not have access to write and execute arbitrary PHP. This issue affects the versions 3.0.0 through 3.4.14.
- LOW
- NETWORK
- HIGH
- CHANGED
- NONE
- HIGH
- HIGH
- HIGH
CWE-94 - Code Injection
Code injection is a type of vulnerability that allows an attacker to execute arbitrary code. This vulnerability fully compromises the machine and can cause a wide variety of security issues, such as unauthorized access to sensitive information, manipulation of data, denial of service attacks etc. Code injection is different from command injection in the fact that it is limited by the functionality of the injected language (e.g. PHP), as opposed to command injection, which leverages existing code to execute commands, usually within the context of a shell.
References
Advisory Timeline
- Published
